Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Victory, or not? Abnow / ZeroAccess Rootkit on Macbook Pro with Windows 7


  • This topic is locked This topic is locked
12 replies to this topic

#1 jetsk

jetsk

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 02 March 2012 - 06:46 PM

Hello, I have a Macbook Pro running Windows 7 and MacOS via Bootcamp (but I use almost only Windows 7).

Yesterday I suddenly had those Abnow redirections and found out that I have the ZeroAccess Rootkit (see first scans with MBAM (Malwarebytes) and OTL).
People on a german forum told me it would be next to impossible to remove it and suggest to re-install the whole system, but I really do not have the time for that.

But then I managed to remove it, and suddenly it looked like it is gone, but I don't know how sure I can be that it's REALLY gone.
What I did (in chronological order):

1) Set the system back to an earlier restore point (from yesterday morning), after doing that, the Google redirections were gone.
2) Full scan with up-to-date MBAM (Malwarebytes) and OTL (as said, see first scans mbam-log-2012-03-02 (01-56-02).txt and otl.txt)
3) Then I used MBAM to remove all ZeroAccess and other entries
4) Reboot
5) Another MBAM full scan: no malignant entries anymore, everything clean
6) Switched internet connection back on, surfed a while to see if everything works
7) Reboot, one more MBAM full scan: still everything clean
8) Downloaded Combofix, reboot in secure mode, started Combofix (see combofix.txt)
9) Reboot, downloaded GMER, scan, see gmer.txt
10) Downloaded OSAM, scan, all entries 'green', just the 'Save-Log' did not work as the Save-As dialogue simply did not show up (!?)
11) Downloaded aswMBR.exe, updated to current virus definitions, scan. Results in aswMBR.txt, the only line that was marked red was:
16:36:57.857 \Driver\atapi[0xfffffa8007e5b6b0] -> IRP_MJ_CREATE -> 0xfffffa8007d082c0
Is that maybe because of the installed Daemon Tools?
12) Downloaded TDSSKiller, scan, everything clean (see tdsskiller.txt)
13) Another scan with OTL, see OTL_zwei.txt
14) Reboot
15) Another full scan with MBAM, still everything clean (see mbam-log-2012-03-02 (17-35-28)_danach.txt)

What I am wondering is that actually it seems like ZeroAccess was gone after step 3 and did not come back. Also, Combofix did not detect anything. I am really wondering if my system is clean again or if it just looks clean. How can I tell, are there any other/more ways to find out?

Thank you so much for your help!!

Magnus

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:36 AM

Posted 04 March 2012 - 03:30 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    wininit.exe
    hlp.dat
    /md5stop
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 jetsk

jetsk
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 05 March 2012 - 03:33 AM

Hi myrti,

thanks for the response.
I downloaded OTL again from your link (btw., I had used the same link before when I downloaded it the first time).
and have run the scan including the custom scans.

Only OTL.txt popped up afterwards, could it be that in the current version there is no extra.txt anymore?

About my Windows: my Windows is Windows 7 Professional, Version 6.1, 64bit.
Yes I do have my Windows DVD ready.

The only problem in the beginning were the "Abnow"-redirections.
I don't have any problems anymore, no BSOD or anything after I followed all the steps that I have outlined in my first post.
I'm just not sure how I can tell that I really got rid of the ZeroAccess rootkit.

This is the new OTL.txt:

OTL logfile created on: 05.03.2012 09:22:08 - Run 3
OTL by OldTimer - Version 3.2.35.1 Folder = C:\Users\-\Desktop\DOWNLOAD
64bit- Professional (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

7,98 Gb Total Physical Memory | 5,77 Gb Available Physical Memory | 72,33% Memory free
15,95 Gb Paging File | 13,14 Gb Available in Paging File | 82,41% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 98,85 Gb Total Space | 2,76 Gb Free Space | 2,80% Space Free | Partition Type: NTFS
Drive E: | 49,88 Gb Total Space | 26,13 Gb Free Space | 52,39% Space Free | Partition Type: HFS
Drive G: | 298,09 Gb Total Space | 5,49 Gb Free Space | 1,84% Space Free | Partition Type: NTFS

Computer Name: D | User Name: - | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012.03.05 09:21:40 | 000,584,704 | ---- | M] (OldTimer Tools) -- C:\Users\-\Desktop\DOWNLOAD\OTL(1).exe
PRC - [2012.03.03 10:34:04 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2012.02.18 18:10:38 | 000,399,512 | ---- | M] (Mozilla Messaging) -- C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
PRC - [2012.01.13 14:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012.01.13 14:53:18 | 000,460,872 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011.09.21 09:58:06 | 000,096,256 | ---- | M] (Robert McNeel & Associates) -- C:\Program Files (x86)\Rhinoceros 5.0 WIP\System\RhinoVersionCheckSvc32.exe
PRC - [2011.08.04 15:18:12 | 003,225,504 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
PRC - [2011.08.04 15:17:18 | 000,130,976 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHookSvc.exe
PRC - [2011.08.04 15:17:06 | 000,169,624 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
PRC - [2011.08.04 15:17:04 | 001,149,864 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
PRC - [2011.08.04 15:16:58 | 001,082,800 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
PRC - [2010.10.10 18:15:46 | 001,265,664 | ---- | M] (www.bid-o-matic.org) -- C:\Program Files (x86)\Biet-O-Matic\Biet-O-Matic.exe
PRC - [2010.09.01 07:39:18 | 001,164,584 | ---- | M] () -- C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
PRC - [2010.08.16 00:58:55 | 010,168,856 | ---- | M] (Foxit Corporation) -- C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Reader.exe
PRC - [2010.08.02 11:40:56 | 000,199,600 | ---- | M] (Telefónica I+D) -- C:\Program Files (x86)\o2\Mobile Connection Manager\ImpWiFiSvc.exe
PRC - [2010.04.09 14:32:02 | 000,372,736 | ---- | M] (Sphinx Software) -- C:\Program Files (x86)\Windows7FirewallControl\Windows7FirewallService.exe
PRC - [2010.04.09 14:21:56 | 000,753,664 | ---- | M] (Sphinx Software) -- C:\Program Files (x86)\Windows7FirewallControl\Windows7FirewallControl.exe
PRC - [2010.03.06 04:04:24 | 000,310,224 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
PRC - [2008.12.09 12:08:38 | 000,495,616 | ---- | M] (Gadwin Systems, Inc) -- C:\Program Files (x86)\Gadwin Systems\PrintScreen\PrintScreen.exe


========== Modules (No Company Name) ==========

MOD - [2012.03.03 10:34:04 | 001,911,768 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
MOD - [2012.02.29 22:45:11 | 008,527,008 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
MOD - [2012.02.18 18:10:38 | 001,910,936 | ---- | M] () -- C:\Program Files (x86)\Mozilla Thunderbird\mozjs.dll
MOD - [2012.02.18 18:10:38 | 000,161,944 | ---- | M] () -- C:\Program Files (x86)\Mozilla Thunderbird\nsldap32v60.dll
MOD - [2012.02.18 18:10:38 | 000,021,144 | ---- | M] () -- C:\Program Files (x86)\Mozilla Thunderbird\nsldappr32v60.dll
MOD - [2011.07.26 10:56:16 | 000,576,512 | ---- | M] () -- C:\Program Files (x86)\Spybot - Search & Destroy 2\JSDialogPack150.bpl
MOD - [2010.09.01 07:39:28 | 000,095,528 | ---- | M] () -- C:\Program Files (x86)\DivX\DivX Update\DivXUpdateCheck.dll
MOD - [2010.09.01 07:39:18 | 001,164,584 | ---- | M] () -- C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
MOD - [2010.08.18 10:24:43 | 000,008,192 | ---- | M] () -- C:\Program Files (x86)\Java\jre6\bin\jp2native.dll
MOD - [2010.07.23 03:54:06 | 000,067,872 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2010.12.01 14:47:44 | 001,431,888 | ---- | M] (Flexera Software, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe -- (FLEXnet Licensing Service 64)
SRV:64bit: - [2010.10.05 09:07:08 | 000,087,336 | ---- | M] (Dassault Systèmes SolidWorks Corp.) [On_Demand | Stopped] -- C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe -- (CoordinatorServiceHost)
SRV:64bit: - [2010.05.18 19:06:38 | 000,094,208 | ---- | M] (Robert McNeel & Associates) [Auto | Running] -- C:\Program Files\Rhinoceros 5.0 WIP (64-bit)\System\RhinoVersionCheckSvc64.exe -- (McNeelUpdates64) McNeel Update (64-bit)
SRV:64bit: - [2009.07.22 10:16:56 | 000,110,896 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Windows\SysNative\AppleTimeSrv.exe -- (AppleTimeSrv)
SRV:64bit: - [2009.07.22 10:16:54 | 000,174,384 | ---- | M] () [Auto | Running] -- C:\Windows\SysNative\AppleOSSMgr.exe -- (AppleOSSMgr)
SRV:64bit: - [2009.07.14 02:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2012.01.13 14:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011.09.21 09:58:06 | 000,096,256 | ---- | M] (Robert McNeel & Associates) [Auto | Running] -- C:\Program Files (x86)\Rhinoceros 5.0 WIP\System\RhinoVersionCheckSvc32.exe -- (McNeelUpdates32) McNeel Update (32-bit)
SRV - [2011.08.04 15:17:18 | 000,130,976 | ---- | M] (Safer-Networking Ltd.) [Auto | Running] -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHookSvc.exe -- (SDHookService)
SRV - [2011.08.04 15:17:06 | 000,169,624 | ---- | M] (Safer-Networking Ltd.) [Auto | Running] -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe -- (SDWSCService)
SRV - [2011.08.04 15:17:04 | 001,149,864 | ---- | M] (Safer-Networking Ltd.) [Auto | Running] -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe -- (SDUpdateService)
SRV - [2011.08.04 15:16:58 | 001,082,800 | ---- | M] (Safer-Networking Ltd.) [Auto | Running] -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe -- (SDScannerService)
SRV - [2010.12.01 14:55:50 | 001,044,816 | ---- | M] (Flexera Software, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010.12.01 14:50:28 | 000,079,360 | ---- | M] (SolidWorks) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe -- (SolidWorks Licensing Service)
SRV - [2010.10.25 13:53:46 | 000,145,920 | ---- | M] (HP) [Auto | Stopped] -- C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe -- (HP LaserJet Service)
SRV - [2010.08.02 11:40:56 | 000,199,600 | ---- | M] (Telefónica I+D) [Auto | Running] -- C:\Program Files (x86)\o2\Mobile Connection Manager\ImpWiFiSvc.exe -- (TGCM_ImportWiFiSvc)
SRV - [2010.07.26 16:01:58 | 000,066,112 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files (x86)\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus®
SRV - [2010.04.09 14:32:02 | 000,372,736 | ---- | M] (Sphinx Software) [Auto | Running] -- C:\Program Files (x86)\Windows7FirewallControl\Windows7FirewallService.exe -- (Windows7FirewallService)
SRV - [2010.03.18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010.02.19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2009.09.23 20:59:36 | 001,037,824 | ---- | M] (Hewlett-Packard Co.) [Auto | Running] -- C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL -- (HPSLPSVC)
SRV - [2009.06.10 22:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011.12.10 15:24:08 | 000,023,152 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2011.02.18 16:36:58 | 000,051,712 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2010.12.14 20:28:30 | 000,022,040 | ---- | M] (Hewlett Packard) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hppdbulkio.sys -- (HPFXBULKLEDM)
DRV:64bit: - [2010.10.21 21:51:00 | 000,230,352 | ---- | M] (TrueCrypt Foundation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\truecrypt.sys -- (truecrypt)
DRV:64bit: - [2010.08.18 14:33:20 | 000,834,544 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\sptd.sys -- (sptd)
DRV:64bit: - [2010.04.19 21:29:18 | 000,022,528 | ---- | M] (Apple Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netaapl64.sys -- (Netaapl)
DRV:64bit: - [2010.04.09 08:24:32 | 000,076,288 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ew_jubusenum.sys -- (huawei_enumerator)
DRV:64bit: - [2010.04.07 10:05:00 | 000,250,368 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ewusbnet.sys -- (ewusbnet)
DRV:64bit: - [2010.03.25 03:08:46 | 000,120,704 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ewusbmdm.sys -- (hwdatacard)
DRV:64bit: - [2010.03.20 04:56:56 | 000,114,560 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ew_hwusbdev.sys -- (ew_hwusbdev)
DRV:64bit: - [2009.07.22 10:17:04 | 000,012,856 | ---- | M] (Apple Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\AppleMNT.sys -- (AppleMNT)
DRV:64bit: - [2009.07.22 10:17:02 | 000,067,640 | ---- | M] (Apple Inc.) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\AppleHFS.sys -- (AppleHFS)
DRV:64bit: - [2009.07.22 10:17:02 | 000,019,000 | ---- | M] (Apple Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\MacHALDriver.sys -- (MacHALDriver)
DRV:64bit: - [2009.07.22 10:17:00 | 000,015,416 | ---- | M] (Apple Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\KeyAgent.sys -- (KeyAgent)
DRV:64bit: - [2009.07.22 10:12:27 | 001,526,776 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\BCMWL664.SYS -- (BCM43XX)
DRV:64bit: - [2009.07.22 10:11:38 | 000,018,432 | ---- | M] (Apple Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IRFilter.sys -- (IRRemoteFlt)
DRV:64bit: - [2009.07.22 10:11:25 | 000,037,888 | ---- | M] (Apple Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\applemtp.sys -- (applemtp)
DRV:64bit: - [2009.07.22 10:11:25 | 000,012,288 | ---- | M] (Apple Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\applemtm.sys -- (applemtm)
DRV:64bit: - [2009.07.22 10:11:20 | 000,029,184 | ---- | M] (Apple Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\KeyMagic.sys -- (KeyMagic)
DRV:64bit: - [2009.07.14 02:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009.07.14 02:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009.07.14 02:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009.07.14 02:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009.07.14 02:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009.07.14 02:47:48 | 000,023,104 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2009.07.14 02:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009.07.14 01:39:20 | 000,023,040 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV:64bit: - [2009.06.10 21:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009.06.10 21:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009.06.10 21:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009.06.10 21:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009.05.18 13:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009.04.09 13:38:26 | 000,167,424 | ---- | M] (ZTE Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ZTEusbnet.sys -- (ZTEusbnet)
DRV:64bit: - [2009.04.09 13:38:26 | 000,150,784 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\zteusbvoice.sys -- (ZTEusbvoice)
DRV:64bit: - [2009.04.09 13:38:26 | 000,150,784 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ZTEusbnmea.sys -- (ZTEusbnmea)
DRV:64bit: - [2009.04.09 13:38:26 | 000,150,656 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ZTEusbser6k.sys -- (ZTEusbser6k)
DRV:64bit: - [2009.04.09 13:38:26 | 000,150,656 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ZTEusbmdm6k.sys -- (ZTEusbmdm6k)
DRV:64bit: - [2009.04.09 13:38:26 | 000,011,776 | R--- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\massfilter.sys -- (massfilter)
DRV - [2011.08.04 15:17:12 | 000,048,888 | ---- | M] () [Kernel | System | Running] -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHookDrv64.sys -- (SDHookDriver)
DRV - [2009.07.14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2613550


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1006039580-3662714632-3488871094-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKU\S-1-5-21-1006039580-3662714632-3488871094-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D0 9B A4 09 90 05 CC 01 [binary data]
IE - HKU\S-1-5-21-1006039580-3662714632-3488871094-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1006039580-3662714632-3488871094-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-1006039580-3662714632-3488871094-1001\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2613550
IE - HKU\S-1-5-21-1006039580-3662714632-3488871094-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1006039580-3662714632-3488871094-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.de/"
FF - prefs.js..extensions.enabledItems: tabkit@jomel.me.uk:0.6
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.87
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: 2020Player@2020Technologies.com:5.0.4.0
FF - prefs.js..extensions.enabledItems: {a95d8332-e4b4-6e7f-98ac-20b733364387}:0.5.2
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.10

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_1_102.dll File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\npFFApi.dll File not found
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012.03.03 10:34:05 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012.03.03 10:34:05 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 10.0.2\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2012.01.24 16:38:41 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 10.0.2\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins

[2010.08.15 23:14:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\-\AppData\Roaming\mozilla\Extensions
[2010.08.15 23:14:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\-\AppData\Roaming\mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2012.03.03 10:34:44 | 000,000,000 | ---D | M] (No name found) -- C:\Users\-\AppData\Roaming\mozilla\Firefox\Profiles\328hfjeu.default\extensions
[2011.04.28 11:22:24 | 000,000,000 | ---D | M] (LeechBlock) -- C:\Users\-\AppData\Roaming\mozilla\Firefox\Profiles\328hfjeu.default\extensions\{a95d8332-e4b4-6e7f-98ac-20b733364387}
[2010.08.16 12:42:44 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Users\-\AppData\Roaming\mozilla\Firefox\Profiles\328hfjeu.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2011.03.16 15:36:19 | 000,000,000 | ---D | M] (20-20 3D Viewer) -- C:\Users\-\AppData\Roaming\mozilla\Firefox\Profiles\328hfjeu.default\extensions\2020Player@2020Technologies.com
[2010.11.03 20:52:08 | 000,000,000 | ---D | M] (Tab Kit) -- C:\Users\-\AppData\Roaming\mozilla\Firefox\Profiles\328hfjeu.default\extensions\tabkit@jomel.me.uk
[2012.03.03 10:24:48 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012.03.03 10:34:06 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
() (No name found) -- C:\USERS\-\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\328HFJEU.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
[2012.03.03 10:34:04 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2010.08.18 10:24:43 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
[2010.08.16 00:58:55 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files (x86)\mozilla firefox\plugins\npFoxitReaderPlugin.dll
[2012.03.03 10:34:03 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.03.03 10:34:03 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012.03.03 10:34:03 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml
[2012.03.03 10:34:03 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.03.03 10:34:03 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.03.03 10:34:03 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2012.03.02 15:36:32 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKU\S-1-5-21-1006039580-3662714632-3488871094-1001\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-21-1006039580-3662714632-3488871094-1001\..\Toolbar\WebBrowser: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No CLSID value found.
O4:64bit: - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4:64bit: - HKLM..\Run: [Apple_KbdMgr] C:\Programme\Boot Camp\Bootcamp.exe (Apple Inc.)
O4:64bit: - HKLM..\Run: [Eraser] C:\Programme\Eraser\Eraser.exe (The Eraser Project)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Programme\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [Skytel] C:\Programme\Realtek\Audio\HDA\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AdobeCS5ServiceManager] C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SDTray] C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe (Safer-Networking Ltd.)
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ToolboxFX] C:\Program Files (x86)\HP\ToolboxFX\bin\HPTLBXFX.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [Windows7FirewallControl] C:\Program Files (x86)\Windows7FirewallControl\Windows7FirewallControl.exe (Sphinx Software)
O4 - HKU\S-1-5-21-1006039580-3662714632-3488871094-1001..\Run: [DAEMON Tools Lite] C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKU\S-1-5-21-1006039580-3662714632-3488871094-1001..\Run: [Gadwin PrintScreen] C:\Program Files (x86)\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1006039580-3662714632-3488871094-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1006039580-3662714632-3488871094-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1006039580-3662714632-3488871094-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000008 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {83581B17-7BF5-4650-BF23-853A8A0C271A} https://nextdayoqaos.materialise.com/Upserver/EposActiveX.cab (Materialise Stl File Analyzer Uploader)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6C554496-6A23-4C87-8C20-567508FDD6D9}: DhcpNameServer = 139.7.30.125 139.7.30.126
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{973001BC-6CF8-4861-8114-1025CA761379}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E8DC4135-A501-4687-B640-A9697A271355}: DhcpNameServer = 139.7.30.126 139.7.30.125
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\mso-offdap11 - No CLSID value found
O18:64bit: - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\SDWinLogon: DllName - (SDWinLogon.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*


SafeBootMin:64bit: AppMgmt - C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SafeBootMin:64bit: Base - Driver Group
SafeBootMin:64bit: Boot Bus Extender - Driver Group
SafeBootMin:64bit: Boot file system - Driver Group
SafeBootMin:64bit: File system - Driver Group
SafeBootMin:64bit: Filter - Driver Group
SafeBootMin:64bit: HelpSvc - Service
SafeBootMin:64bit: PCI Configuration - Driver Group
SafeBootMin:64bit: PNP Filter - Driver Group
SafeBootMin:64bit: Primary disk - Driver Group
SafeBootMin:64bit: sacsvr - Service
SafeBootMin:64bit: SCSI Class - Driver Group
SafeBootMin:64bit: System Bus Extender - Driver Group
SafeBootMin:64bit: vmms - Service
SafeBootMin:64bit: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin:64bit: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin:64bit: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin:64bit: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin:64bit: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin:64bit: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin:64bit: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin:64bit: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin:64bit: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin:64bit: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin:64bit: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin:64bit: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin:64bit: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin:64bit: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin:64bit: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin:64bit: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin:64bit: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vmms - Service
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

ActiveX:64bit: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX:64bit: {254164FB-7512-E000-29ED-7D5F00686C53} - Offline Browsing Pack
ActiveX:64bit: {2C1B064E-CB70-BAB2-BF10-98F1751D0C2F} - Themes Setup
ActiveX:64bit: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX:64bit: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX:64bit: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX:64bit: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX:64bit: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX:64bit: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX:64bit: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX:64bit: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX:64bit: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX:64bit: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX:64bit: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX:64bit: {884E5F3F-794B-F1E2-080F-07AD46A55483} - Internet Explorer
ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\System32\ie4uinit.exe -BaseSettings
ActiveX:64bit: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX:64bit: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX:64bit: {A9F34BE1-7652-3B7D-0DFD-B04DC8379910} - Browser Customizations
ActiveX:64bit: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX:64bit: {D22CD5E2-7144-379C-F7A7-10A5B5F71C5E} - Microsoft Windows Media Player
ActiveX:64bit: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX:64bit: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX:64bit: {F3337E72-C209-50E0-2B54-2DF56103256C} - Microsoft Windows Media Player
ActiveX:64bit: {F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4} - .NET Framework
ActiveX:64bit: {FEBEF00C-046D-438D-8A88-BF94A6C9E703} - .NET Framework
ActiveX:64bit: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX:64bit: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\System32\ie4uinit.exe -UserIconConfig
ActiveX:64bit: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: {01F90472-9311-F8A4-6B2D-068AA23B2E2B} - Internet Explorer
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {14DB9801-BBA4-B9D8-1340-21547D00ADB0} - Themes Setup
ActiveX: {1BD2D3A5-1469-BA69-E5A9-BD7DEDA5B52A} - Themes Setup
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX: {25FFAAD0-F4A3-4164-95FF-4461E9F35D51} - .NET Framework
ActiveX: {2973E1DA-9ACE-AB44-68FA-11F0A66AFFA5} - Themes Setup
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {2F51C0D0-D6FE-4285-A094-448CCEEBEE62} - Themes Setup
ActiveX: {32D11B23-D7EC-F1E4-A5C6-634DEE0EDAA5} - Internet Explorer
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {41DAE8CE-35B6-ADEA-845F-01CF8D7A4915} - Internet Explorer
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles(x86)%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {46C9EEEE-7C32-E0E3-0C98-0CF8DE78E985} - Themes Setup
ActiveX: {499DDCB9-2583-626F-9D0B-EB0256F8E2C3} - Microsoft Windows Media Player 12.0
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {505C3C3F-5E34-7749-FE19-6637DEEBD67E} - Microsoft Windows Media Player 12.0
ActiveX: {558A0037-1F6F-1778-5492-DC3A6F29AD37} - Microsoft Windows Media Player 12.0
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {60DEECEC-9E71-8C9B-429D-0E981509FB8C} - Themes Setup
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {72CBF2F4-DD38-A79F-950C-0C955B88E681} - Themes Setup
ActiveX: {74437D2D-8ADF-0BDA-CAEA-F205463AC744} - Microsoft Windows Media Player 12.0
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7BF1C7BA-47A1-5CC5-AB6E-2BF7BF53939E} - Themes Setup
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {7DD40869-B1F2-720C-AA93-4E2599A412C2} - Themes Setup
ActiveX: {86CEEA18-DDD8-23D2-D53D-125F3AA53AA3} - Microsoft Windows Media Player
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\SysWOW64\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install
ActiveX: {93531208-6CBB-1307-0E49-69BE4CD33B50} - Java (Sun)
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {949EC4F6-1236-3BA0-55EE-807DFC250774} - .NET Framework
ActiveX: {9B87D270-B9B0-8731-5C74-727B2BDE1264} - Browser Customizations
ActiveX: {9E48C145-AE4A-512C-FAF3-7CAD09C3095C} - Themes Setup
ActiveX: {A3B70B14-D6B0-3ACB-9053-7B9E9003C4B1} - Microsoft Windows Media Player 12.0
ActiveX: {A530A885-8AEE-F92A-A5A1-439534516A14} - Internet Explorer
ActiveX: {C0EF86BF-127C-7F91-A01F-D70924BAE26D} - Themes Setup
ActiveX: {C1950BDE-E645-CB23-CA72-063AC47B617C} - Internet Explorer
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CBD66E1A-A4B9-2323-28C4-99802BA9EC3D} - Themes Setup
ActiveX: {CC08C7ED-9EB6-E7BE-2EDE-17E62A2B56D9} - Internet Explorer
ActiveX: {CF7F5876-CEC6-2D51-C4F7-ACF8B058F6F2} - .NET Framework
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EB752118-F8F7-7146-1446-1BC8462F5AEC} - .NET Framework
ActiveX: {ED4CCE27-DA60-6C87-0CA6-2A9183EB6475} - Microsoft Windows Media Player
ActiveX: {EFFC7C55-6F7B-DC63-6441-D98065AD6F6C} - .NET Framework
ActiveX: {F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4} - .NET Framework
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\SysWOW64\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32:64bit: msacm.ac3filter - ac3filter64.acm ()
Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.ac3filter - C:\Windows\SysWow64\ac3filter.acm ()
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\Windows\SysWow64\DivX.dll (DivX, Inc.)
Drivers32: vidc.yv12 - C:\Windows\SysWow64\DivX.dll (DivX, Inc.)

NetSvcs:64bit: AppMgmt - C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2012.03.02 15:45:45 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012.03.02 15:39:09 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012.03.02 15:30:55 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012.03.02 15:30:55 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012.03.02 15:30:55 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012.03.02 15:20:39 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012.03.02 15:16:13 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012.03.02 01:40:05 | 000,000,000 | ---D | C] -- C:\Users\-\AppData\Roaming\Malwarebytes
[2012.03.02 01:39:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012.03.02 01:39:54 | 000,023,152 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012.03.02 01:39:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012.03.02 01:39:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012.03.02 00:37:20 | 000,000,000 | ---D | C] -- C:\Users\-\AppData\Roaming\Help
[2012.03.02 00:33:16 | 000,000,000 | ---D | C] -- C:\Users\-\AppData\Roaming\TeamViewer
[2012.02.29 22:45:11 | 000,414,368 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2012.02.29 22:26:27 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Macromed
[2012.02.18 00:37:04 | 000,000,000 | ---D | C] -- C:\Program Files\EOTfast
[2012.02.09 16:41:09 | 004,763,456 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Windows\procexp.exe
[3 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[1 C:\Windows\SysNative\drivers\*.tmp files -> C:\Windows\SysNative\drivers\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012.03.05 08:54:52 | 000,001,100 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012.03.05 08:54:22 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.03.05 08:54:22 | 000,001,096 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012.03.02 20:58:27 | 000,000,978 | ---- | M] () -- C:\Program Files\CoreTemp.ini
[2012.03.02 17:26:53 | 006,656,184 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
[2012.03.02 17:26:53 | 002,424,086 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012.03.02 17:26:53 | 002,049,320 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
[2012.03.02 17:26:53 | 001,836,514 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012.03.02 17:26:53 | 000,005,218 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012.03.02 17:26:47 | 000,014,816 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.03.02 17:26:47 | 000,014,816 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.03.02 17:19:46 | 000,000,314 | ---- | M] () -- C:\Windows\tasks\Check for updates (Spybot - Search & Destroy).job
[2012.03.02 17:19:31 | 2128,383,999 | -HS- | M] () -- C:\hiberfil.sys
[2012.03.02 15:36:32 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2012.03.02 01:39:55 | 000,001,080 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012.02.29 22:45:11 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2012.02.29 13:22:00 | 000,421,888 | ---- | M] () -- C:\Users\-\Documents\vdk_projekt3.indd
[2012.02.29 13:15:16 | 000,000,000 | ---- | M] () -- C:\Users\-\Documents\~vdk_projekt1~t7lzau.idlk
[2012.02.29 12:59:39 | 000,000,000 | ---- | M] () -- C:\Users\-\Documents\~vdk_projekt3~wguwp_.idlk
[2012.02.29 12:57:07 | 000,479,232 | ---- | M] () -- C:\Users\-\Documents\vdk_projekt2b.indd
[2012.02.29 12:55:20 | 000,327,680 | ---- | M] () -- C:\Users\-\Documents\vdk_projekt2.indd
[2012.02.29 12:55:06 | 000,466,944 | ---- | M] () -- C:\Users\-\Documents\vdk_projekt1b.indd
[2012.02.29 12:28:17 | 000,561,152 | ---- | M] () -- C:\Users\-\Documents\vdk_projekt1.indd
[2012.02.27 17:36:31 | 000,577,536 | ---- | M] () -- C:\Users\-\Documents\karlbraun_invoice_wb_2012_004.indd
[2012.02.27 17:28:50 | 000,585,728 | ---- | M] () -- C:\Users\-\Documents\karlbraun_invoice_wb_2012_002.indd
[2012.02.27 16:26:54 | 000,557,056 | ---- | M] () -- C:\Users\-\Documents\karlbraun_invoice_wb_2012_003.indd
[2012.02.27 15:59:28 | 000,569,344 | ---- | M] () -- C:\Users\-\Documents\karlbraun_invoice_wb_2012_001.indd
[2012.02.26 23:21:36 | 004,571,767 | ---- | M] () -- C:\Users\-\Desktop\flite.jpg
[2012.02.24 17:28:01 | 011,610,024 | ---- | M] () -- C:\Users\-\Desktop\cyclocross.psd
[2012.02.24 16:05:00 | 000,503,731 | ---- | M] () -- C:\Users\-\Desktop\vergleich.jpg
[2012.02.23 14:30:35 | 005,558,128 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012.02.21 15:09:10 | 002,952,055 | ---- | M] () -- C:\Users\-\Desktop\RhinoCrashDump.dmp
[2012.02.21 15:09:10 | 000,000,000 | ---- | M] () -- C:\Users\-\Desktop\RhinoCrashDump.3dm
[2012.02.18 14:49:34 | 000,000,132 | ---- | M] () -- C:\Users\-\AppData\Roaming\Adobe PNG Format CS5 Prefs
[2012.02.17 14:18:01 | 000,585,728 | ---- | M] () -- C:\Users\-\Documents\karlbraun_invoice_kc_2012_001B.indd
[2012.02.16 10:47:01 | 000,448,523 | ---- | M] () -- C:\Users\-\Documents\karlbraun_invoice_kc_2012_001B.pdf
[2012.02.14 18:25:21 | 000,679,936 | ---- | M] () -- C:\Users\-\Documents\testamentas.indd
[2012.02.12 19:23:50 | 000,109,751 | ---- | M] () -- C:\Users\-\Desktop\Screen shot 2012-02-12 at 19.23.30.png
[2012.02.12 16:42:10 | 000,538,402 | ---- | M] () -- C:\Users\-\Desktop\Screen shot 2012-01-05 at 13.55.24.png
[2012.02.06 14:38:13 | 000,577,536 | ---- | M] () -- C:\Users\-\Documents\karlbraun_invoice_kc_2012_001.indd
[2012.02.06 14:32:55 | 000,446,842 | ---- | M] () -- C:\Users\-\Documents\karlbraun_invoice_kc_2012_001.pdf
[3 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[1 C:\Windows\SysNative\drivers\*.tmp files -> C:\Windows\SysNative\drivers\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012.03.03 10:34:06 | 000,001,113 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2012.03.02 15:30:55 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012.03.02 15:30:55 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012.03.02 15:30:55 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012.03.02 15:30:55 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012.03.02 15:30:55 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012.03.02 01:39:55 | 000,001,080 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012.02.29 13:15:16 | 000,000,000 | ---- | C] () -- C:\Users\-\Documents\~vdk_projekt1~t7lzau.idlk
[2012.02.29 12:59:39 | 000,421,888 | ---- | C] () -- C:\Users\-\Documents\vdk_projekt3.indd
[2012.02.29 12:59:39 | 000,000,000 | ---- | C] () -- C:\Users\-\Documents\~vdk_projekt3~wguwp_.idlk
[2012.02.29 12:56:14 | 000,479,232 | ---- | C] () -- C:\Users\-\Documents\vdk_projekt2b.indd
[2012.02.29 12:55:20 | 000,327,680 | ---- | C] () -- C:\Users\-\Documents\vdk_projekt2.indd
[2012.02.29 12:28:31 | 000,466,944 | ---- | C] () -- C:\Users\-\Documents\vdk_projekt1b.indd
[2012.02.29 11:37:09 | 000,561,152 | ---- | C] () -- C:\Users\-\Documents\vdk_projekt1.indd
[2012.02.27 16:27:15 | 000,577,536 | ---- | C] () -- C:\Users\-\Documents\karlbraun_invoice_wb_2012_004.indd
[2012.02.27 16:14:07 | 000,557,056 | ---- | C] () -- C:\Users\-\Documents\karlbraun_invoice_wb_2012_003.indd
[2012.02.27 16:02:18 | 000,585,728 | ---- | C] () -- C:\Users\-\Documents\karlbraun_invoice_wb_2012_002.indd
[2012.02.27 15:52:04 | 000,569,344 | ---- | C] () -- C:\Users\-\Documents\karlbraun_invoice_wb_2012_001.indd
[2012.02.26 01:48:13 | 004,571,767 | ---- | C] () -- C:\Users\-\Desktop\flite.jpg
[2012.02.24 17:28:00 | 011,610,024 | ---- | C] () -- C:\Users\-\Desktop\cyclocross.psd
[2012.02.24 16:04:58 | 000,503,731 | ---- | C] () -- C:\Users\-\Desktop\vergleich.jpg
[2012.02.16 10:46:57 | 000,448,523 | ---- | C] () -- C:\Users\-\Documents\karlbraun_invoice_kc_2012_001B.pdf
[2012.02.16 10:46:06 | 000,585,728 | ---- | C] () -- C:\Users\-\Documents\karlbraun_invoice_kc_2012_001B.indd
[2012.02.14 16:35:20 | 000,679,936 | ---- | C] () -- C:\Users\-\Documents\testamentas.indd
[2012.02.12 19:23:48 | 000,109,751 | ---- | C] () -- C:\Users\-\Desktop\Screen shot 2012-02-12 at 19.23.30.png
[2012.02.12 16:42:00 | 000,538,402 | ---- | C] () -- C:\Users\-\Desktop\Screen shot 2012-01-05 at 13.55.24.png
[2012.02.09 16:41:09 | 000,072,268 | ---- | C] () -- C:\Windows\procexp.chm
[2012.02.06 14:32:47 | 000,446,842 | ---- | C] () -- C:\Users\-\Documents\karlbraun_invoice_kc_2012_001.pdf
[2012.02.06 14:06:21 | 000,577,536 | ---- | C] () -- C:\Users\-\Documents\karlbraun_invoice_kc_2012_001.indd
[2011.10.02 10:52:19 | 000,007,607 | ---- | C] () -- C:\Users\-\AppData\Local\Resmon.ResmonCfg
[2011.08.19 09:02:10 | 000,000,014 | ---- | C] () -- C:\Windows\hpmssnpjt.ini
[2011.05.16 16:05:32 | 000,000,021 | ---- | C] () -- C:\Windows\SysWow64\CGCRI.DAT
[2011.03.29 09:34:25 | 000,212,958 | ---- | C] () -- C:\Windows\hpwins11.dat
[2011.03.29 09:34:25 | 000,000,392 | ---- | C] () -- C:\Windows\hpwmdl11.dat
[2011.01.04 11:50:42 | 000,000,028 | ---- | C] () -- C:\Windows\pdf995.ini
[2010.12.10 21:53:40 | 000,166,096 | ---- | C] () -- C:\Windows\SysWow64\AirfoilInject3.dll
[2010.12.01 14:55:27 | 000,000,000 | ---- | C] () -- C:\Windows\eDrawingOfficeAutomator.INI
[2010.11.02 17:45:35 | 000,000,000 | ---- | C] () -- C:\Windows\HPMProp.INI
[2010.10.28 10:40:14 | 000,000,046 | ---- | C] () -- C:\Windows\VID_DirectX.INI
[2010.10.27 12:14:40 | 000,008,960 | ---- | C] () -- C:\Windows\SysWow64\drivers\GF0012.SYS
[2010.10.23 17:14:43 | 000,001,456 | ---- | C] () -- C:\Users\-\AppData\Local\Adobe Save for Web 12.0 Prefs
[2010.10.01 12:39:42 | 000,000,132 | ---- | C] () -- C:\Users\-\AppData\Roaming\Adobe GIF Format CS5 Prefs
[2010.09.27 11:40:31 | 000,047,616 | ---- | C] () -- C:\Windows\SysWow64\pdf995mon64.dll
[2010.09.27 11:40:31 | 000,000,140 | ---- | C] () -- C:\Windows\wpd99.drv
[2010.09.23 13:18:30 | 000,165,376 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll
[2010.09.09 20:56:14 | 000,000,132 | ---- | C] () -- C:\Users\-\AppData\Roaming\Adobe PNG Format CS5 Prefs
[2010.08.18 19:08:23 | 000,015,873 | ---- | C] () -- C:\Windows\SysWow64\Inetde.dll
[2010.08.18 17:08:25 | 000,000,011 | ---- | C] () -- C:\Program Files\Plugins.ini
[2010.08.18 12:25:37 | 000,216,576 | ---- | C] () -- C:\Program Files\PowerCalc.exe
[2010.08.17 15:54:22 | 000,000,978 | ---- | C] () -- C:\Program Files\CoreTemp.ini
[2010.08.17 15:54:19 | 000,536,592 | ---- | C] () -- C:\Program Files\Core Temp.exe
[2010.08.16 22:18:45 | 000,000,056 | -H-- | C] () -- C:\Windows\SysWow64\ezsidmv.dat
[2010.08.16 20:43:44 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2010.08.16 00:18:20 | 000,015,360 | ---- | C] () -- C:\Windows\SysWow64\BASSMOD.dll
[2010.08.15 22:52:46 | 000,027,459 | ---- | C] () -- C:\ProgramData\nvModes.001
[2010.08.15 22:45:18 | 000,027,459 | ---- | C] () -- C:\ProgramData\nvModes.dat

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: EXPLORER.EXE >
[2009.07.14 02:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=15BC38A7492BEFE831966ADB477CF76F -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_b7fe430bc7ce3761\explorer.exe
[2011.08.04 15:17:58 | 003,148,200 | ---- | M] (Safer-Networking Ltd.) MD5=1B5F8B17F6E5A65394E6EB761A2D381C -- C:\Program Files (x86)\Spybot - Search & Destroy 2\explorer.exe
[2009.10.31 06:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\SysWOW64\explorer.exe
[2009.10.31 06:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_b819b343c7ba6202\explorer.exe
[2009.08.03 07:19:07 | 002,868,224 | ---- | M] (Microsoft Corporation) MD5=700073016DAC1C3D2E7E2CE4223334B6 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_ae84b558ac4eb41c\explorer.exe
[2009.10.31 07:34:59 | 002,870,272 | ---- | M] (Microsoft Corporation) MD5=9AAAEC8DAC27AA17B053E6352AD233AE -- C:\Windows\ERDNT\cache86\explorer.exe
[2009.10.31 07:34:59 | 002,870,272 | ---- | M] (Microsoft Corporation) MD5=9AAAEC8DAC27AA17B053E6352AD233AE -- C:\Windows\explorer.exe
[2009.10.31 07:34:59 | 002,870,272 | ---- | M] (Microsoft Corporation) MD5=9AAAEC8DAC27AA17B053E6352AD233AE -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_adc508f19359a007\explorer.exe
[2009.08.03 06:49:47 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=9FF6C4C91A3711C0A3B18F87B08B518D -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_b8d95faae0af7617\explorer.exe
[2009.10.31 07:38:38 | 002,870,272 | ---- | M] (Microsoft Corporation) MD5=B8EC4BD49CE8F6FC457721BFC210B67F -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_ae46d6aeac7ca7c7\explorer.exe
[2009.08.03 06:35:50 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=B95EEB0F4E5EFBF1038A35B3351CF047 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_b853c407c78e3ba9\explorer.exe
[2009.07.14 02:39:10 | 002,868,224 | ---- | M] (Microsoft Corporation) MD5=C235A51CB740E45FFA0EBFB9BAFCDA64 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_ada998b9936d7566\explorer.exe
[2009.10.31 07:00:51 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=C76153C7ECA00FA852BB0C193378F917 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_b89b8100e0dd69c2\explorer.exe
[2009.08.03 07:17:37 | 002,868,224 | ---- | M] (Microsoft Corporation) MD5=F170B4A061C9E026437B193B4D571799 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_adff19b5932d79ae\explorer.exe

< MD5 for: WININIT.EXE >
[2009.07.14 02:39:52 | 000,129,024 | ---- | M] (Microsoft Corporation) MD5=94355C28C1970635A31B3FE52EB7CEBA -- C:\Windows\ERDNT\cache64\wininit.exe
[2009.07.14 02:39:52 | 000,129,024 | ---- | M] (Microsoft Corporation) MD5=94355C28C1970635A31B3FE52EB7CEBA -- C:\Windows\SysNative\wininit.exe
[2009.07.14 02:39:52 | 000,129,024 | ---- | M] (Microsoft Corporation) MD5=94355C28C1970635A31B3FE52EB7CEBA -- C:\Windows\winsxs\amd64_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_8ce7aa761e01ad49\wininit.exe
[2009.07.14 02:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\ERDNT\cache86\wininit.exe
[2009.07.14 02:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\SysWOW64\wininit.exe
[2009.07.14 02:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe

< MD5 for: WINLOGON.EXE >
[2009.07.14 02:39:52 | 000,389,120 | ---- | M] (Microsoft Corporation) MD5=132328DF455B0028F13BF0ABEE51A63A -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_cbb7f2bdeea2829c\winlogon.exe
[2012.01.13 14:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2009.10.28 08:01:57 | 000,389,632 | ---- | M] (Microsoft Corporation) MD5=A93D41A4D4B0D91C072D11DD8AF266DE -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_cc522fd507b468f8\winlogon.exe
[2009.10.28 07:24:40 | 000,389,632 | ---- | M] (Microsoft Corporation) MD5=DA3E2A6FA9660CC75B471530CE88453A -- C:\Windows\ERDNT\cache64\winlogon.exe
[2009.10.28 07:24:40 | 000,389,632 | ---- | M] (Microsoft Corporation) MD5=DA3E2A6FA9660CC75B471530CE88453A -- C:\Windows\SysNative\winlogon.exe
[2009.10.28 07:24:40 | 000,389,632 | ---- | M] (Microsoft Corporation) MD5=DA3E2A6FA9660CC75B471530CE88453A -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_cbe534e7ee8042ad\winlogon.exe

< End of report >


Thank you!
Magnus

Edited by jetsk, 05 March 2012 - 03:34 AM.


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:36 AM

Posted 05 March 2012 - 03:55 AM

hi

from what I can see ZeroAccess wasn't active on your PC, but only located in your recyclebin. (So you had a file you didn't execute and delete that would've have infected you, or tried to, if you'd executed it) The redirects may have been caused by the timerintray detected by MBAM.

ComboFix deleted some files form 1&1. Have you been noticing any problems with it since you run ComboFix?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 jetsk

jetsk
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 05 March 2012 - 04:07 AM

Hi myrti,

are you sure it was only in the recycle bin? If you look at the very first MBAM scan file (in my first post), the last line is:

C:\Windows\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Keine Aktion durchgeführt.

...and that's not the recycle bin?

With regard to Combofix, no there have been no problems afterwards, apart from my 1&1 Fax Printer Service which is not working anymore, but that's not a big issue, I think this will be easy to re-install.

Thank you,
Magnus

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:36 AM

Posted 05 March 2012 - 07:38 AM

Hi,

if the infection had successfully installed there would be a file called consrv.dll in your system32 folder and it would have modified the SubSystems-Windows value in the registry. This has not happened, or at the very least, it is no longer showing in any of the logs you've given me. (Also not the initial ones you attached).

The only conclusion possible for me, unless you've undertaken further steps before you contacted us, is that the infection did not successfully install on your PC.

There was a different successful and active infection on your PC: SpyEyes, which can have caused the redirects and which MBAM removed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 jetsk

jetsk
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 05 March 2012 - 07:50 AM

Hi myrti,

ok thank you. And are there certain circumstances under which that rootkit cannot properly install itself?

Also remember that I used the Windows 7 system restore after the browser redirections came up (even if they are not caused by zeroaccess but by spyeyes),
is it possible that the Windows 7 system restore had deleted the consrv.dll? This was the only step that I have undertaken before doing the first MBAM log in my first post.

Apart from that, the only security measure that I was taking generelly was my Firewall (sphinx-soft) which always asks first when any program tries to 'phone home'.
I remember that there was an unknown program a while ago in my Windows folder (unfortunately I cannot remember details) which was stopped by sphinx, and
I denied access for that thing, and instead deleted it. Maybe that was the unsuccessful entry point of ZeroAccess?

Are there any more tools apart from OTL / MBAM / DDS / aswMBR / GMER that I could use to check if my system is really clean? I fear that the evil is
just hiding? Or is my fear unjustifiable?

One more thing: why was this line marked red in aswMBR's output?
16:36:57.857 \Driver\atapi[0xfffffa8007e5b6b0] -> IRP_MJ_CREATE -> 0xfffffa8007d082c0

Thank you myrti!
Magnus

Edited by jetsk, 05 March 2012 - 07:54 AM.


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:36 AM

Posted 05 March 2012 - 08:01 AM

Hi,

principally you've taken the right approach. OTL/DDS/aswMBR should have shown you the infection, but didn't. gmer is not compatible with 64bit OS. It will run, bit it does not produce a reliable output. You coul also run TDSSKiller if you like, that sometimes finds the infection. IMHO this is not strictly necessary.

I think your interpretation of the aswMBR log is also correct, which is why I didn't elaborate on it. You see in the called modules the folling two entries:

>>UNKNOWN [0xfffffa8007d082c0]<<spex.sys

The first is a component of sptd hiding, the second is a visible part of sptd (the driver will always start with sp, but the next two letters will vary). That's how I know sptd is active and the hook you're seeing is typical for sptd. It is also typical for TDL, but not for ZeroAccess. There's no other indication that TDL is active (notably you'd be getting redirected if TDL was active). So it's very very very likely that you are looking at a trace caused by Daemon Tools (which uses sptd).

ZA may have been unable to install because it couldn't gain admin permissions to isntall. It may also have been blocked by mbam or other when trying to install... Or maybe the installer you got was faulty and couldn't do what it was meant to do. :wink:

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 jetsk

jetsk
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 05 March 2012 - 08:10 AM

Hi,

I also used TDSSKiller, it didn't find anything (see log in first post).

The only reason why I appear a little bit paranoid is that I asked my questions in a similar german forum as well and the guy there just saw my first MBAM log file and created the impression it would generally be next to impossible to remove ZeroAccess so there would be almost no other way than re-installing the whole system.

So he's wrong?

All the best,
Magnus

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:36 AM

Posted 05 March 2012 - 09:01 AM

Hi,

can you link me? ZA is one of the most advanced and msot aggressive infections out there, but I do not think it ever installed on your system.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 jetsk

jetsk
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 05 March 2012 - 09:20 AM

Hi, it's here (but I received no replys so far after posting my approach of fixing)

http://www.trojaner-board.de/110721-abnow-macbook-pro-bootcamp-windows-7-64bit.html

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:36 AM

Posted 05 March 2012 - 02:22 PM

Hi,

yes, this is mostly due to different perceptions when it comes to malware removal. See also my PMs :wink:

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:36 AM

Posted 29 March 2012 - 08:16 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users