Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sophos reports Troj/Vundo-MemA, not able to clean it


  • This topic is locked This topic is locked
10 replies to this topic

#1 HBARZ

HBARZ

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 09 November 2015 - 08:19 AM

Hi there,

 

my Sophos seems to find Troj/Vundo-MemA in "User Memory" and "C:\Windows\System32\rundll32.exe", but only when logged in with a user account, not with administrator. There don't seem to be any obvious problems produced by it either.

 

Although Sophos reports to clean it up and cannot find it anymore on repeated scans, after rebooting the first  scan reports it again.

All other programs I had running e.g. Antivir, MBAM do not seem to find anything.

Due to this I don't know whether it's a false alarm or the real deal.

 

Mod Edit:  Pasted FRST data into post - Hamluis.

 

Untersuchungsergebnis von Farbar Recovery Scan Tool (FRST) (x86) Version:07-11-2015
durchgeführt von Administrator (Administrator) auf BUERO2 (09-11-2015 14:10:03)
Gestartet von C:\Users\administrator.TA-BARZ\Desktop
Geladene Profile: Administrator (Verfügbare Profile: user & Administrator)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) Sprache: Deutsch (Deutschland)
Internet Explorer Version 11 (Standard-Browser: FF)
Start-Modus: Normal
Anleitung für Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Prozesse (Nicht auf der Ausnahmeliste) =================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird der Prozess geschlossen. Die Datei wird nicht verschoben.)

(Sophos Limited) C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
(Sophos Limited) C:\Program Files\Sophos\Sophos Client Firewall\SCFManager.exe
(Sophos Limited) C:\Program Files\Sophos\Sophos Client Firewall\SCFService.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avguard.exe
(InterVideo) C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
(Intel Corporation) C:\Program Files\Intel\AMT\LMS.exe
(PDF Complete Inc) C:\Program Files\PDF Complete\pdfsvc.exe
(Protexis Inc.) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
(Sophos Limited) C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
(Safer-Networking Ltd.) C:\Virenschutz\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Virenschutz\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Sophos Limited) C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
(Sophos Limited) C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
(Intel Corporation) C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Safer-Networking Ltd.) C:\Virenschutz\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Microsoft Corporation) C:\Windows\System32\PrintIsolationHost.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(Intel Corporation) C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Sophos Limited) C:\Program Files\Sophos\AutoUpdate\ALMon.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
(AGFEO      ) C:\Program Files\AGFEO\Tk-Suite\tools\ctimon.exe
(OpenOffice.org) C:\Program Files\OpenOffice.org 3\program\soffice.exe
(OpenOffice.org) C:\Program Files\OpenOffice.org 3\program\soffice.bin
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
(Sophos Limited) C:\Program Files\Sophos\Sophos Anti-Virus\SavMain.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe

==================== Registry (Nicht auf der Ausnahmeliste) ===========================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird der Registryeintrag auf den Standardwert zurückgesetzt oder entfernt. Die Datei wird nicht verschoben.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7596576 2009-07-03] (Realtek Semiconductor)
HKLM\...\Run: [picon] => C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe [796696 2009-07-24] (Intel Corporation)
HKLM\...\Run: [PDF Complete] => C:\Program Files\PDF Complete\pdfsty.exe [563736 2009-06-18] (PDF Complete Inc)
HKLM\...\Run: [Sophos AutoUpdate Monitor] => C:\Program Files\Sophos\AutoUpdate\almon.exe [1592104 2015-07-30] (Sophos Limited)
HKLM\...\Run: [avgnt] => C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [782520 2015-11-09] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [SDTray] => C:\Virenschutz\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
HKU\S-1-5-21-1880281270-951614602-2188419990-500\...\MountPoints2: {8bf939d2-fcd5-11df-8563-806e6f6e6963} - E:\setup.exe
Startup: C:\Users\administrator.TA-BARZ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk [2012-12-21]
ShortcutTarget: OpenOffice.org 3.2.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\TK-Suite Client.lnk [2015-02-17]
ShortcutTarget: TK-Suite Client.lnk -> C:\Program Files\AGFEO\Tk-Suite\tools\ctimon.exe (AGFEO      )
Startup: C:\Users\buero2.TA-BARZ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk [2011-02-21]
ShortcutTarget: OpenOffice.org 3.2.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
BootExecute: autocheck autochk * sdnclean.exe

==================== Internet (Nicht auf der Ausnahmeliste) ====================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird der Eintrag entfernt oder auf den Standardwert zurückgesetzt, wenn es sich um einen Registryeintrag handelt.)

Winsock: Catalog9 01 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760 2015-05-26] (Sophos Limited)
Winsock: Catalog9 02 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760 2015-05-26] (Sophos Limited)
Winsock: Catalog9 03 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760 2015-05-26] (Sophos Limited)
Winsock: Catalog9 04 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760 2015-05-26] (Sophos Limited)
Winsock: Catalog9 05 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760 2015-05-26] (Sophos Limited)
Winsock: Catalog9 06 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760 2015-05-26] (Sophos Limited)
Winsock: Catalog9 07 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760 2015-05-26] (Sophos Limited)
Winsock: Catalog9 08 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760 2015-05-26] (Sophos Limited)
Winsock: Catalog9 31 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760 2015-05-26] (Sophos Limited)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{014129A8-F3D1-44A0-A863-AD5AFDD14667}: [DhcpNameServer] 192.168.2.1

Internet Explorer:
==================
HKU\S-1-5-21-1880281270-951614602-2188419990-500\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/HPCOM/10
HKU\S-1-5-21-1880281270-951614602-2188419990-500\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/HPCOM/10
SearchScopes: HKLM -> DefaultScope {72B75F12-F41A-4CD5-A8B5-1A971BECF9C0} URL = hxxp://www.bing.com/search?q={searchTerms}&form=CMDTDF&pc=CMDTDF&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {72B75F12-F41A-4CD5-A8B5-1A971BECF9C0} URL = hxxp://www.bing.com/search?q={searchTerms}&form=CMDTDF&pc=CMDTDF&src=IE-SearchBox
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\administrator.TA-BARZ\AppData\Roaming\Mozilla\Firefox\Profiles\3mhzb9fa.default
FF NetworkProxy: "no_proxies_on", ""
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_19_0_0_226.dll [2015-10-29] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [Keine Datei]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\4.0.50401.0\npctrl.dll [2010-04-01] ( Microsoft Corporation)
FF user.js: detected! => C:\Users\administrator.TA-BARZ\AppData\Roaming\Mozilla\Firefox\Profiles\3mhzb9fa.default\user.js [2015-05-26]
FF Extension: Adblock Plus - C:\Users\administrator.TA-BARZ\AppData\Roaming\Mozilla\Firefox\Profiles\3mhzb9fa.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-11-09]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx

==================== Dienste (Nicht auf der Ausnahmeliste) ========================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)

S2 AntiVirMailService; C:\Program Files\Avira\AntiVir Desktop\avmailc7.exe [932912 2015-11-09] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files\Avira\AntiVir Desktop\sched.exe [461672 2015-11-09] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [461672 2015-11-09] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE [992504 2015-11-04] (Avira Operations GmbH & Co. KG)
R2 HP Health Check Service; C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [120832 2009-10-15] (Hewlett-Packard) [Datei ist nicht signiert]
S2 MBAMService; C:\Virenschutz\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 pdfcDispatcher; C:\Program Files\PDF Complete\pdfsvc.exe [635416 2009-06-18] (PDF Complete Inc)
R2 SAVAdminService; C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [288552 2015-05-26] (Sophos Limited)
R2 SAVService; C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe [208168 2015-05-26] (Sophos Limited)
R2 SDScannerService; C:\Virenschutz\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Virenschutz\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Virenschutz\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 Sophos AutoUpdate Service; C:\Program Files\Sophos\AutoUpdate\ALsvc.exe [340264 2015-07-30] (Sophos Limited)
R2 Sophos Client Firewall; C:\Program Files\Sophos\Sophos Client Firewall\SCFService.exe [64808 2015-05-26] (Sophos Limited)
R2 Sophos Client Firewall Manager; C:\Program Files\Sophos\Sophos Client Firewall\SCFManager.exe [158504 2015-05-26] (Sophos Limited)
R2 swi_service; C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [3278632 2015-05-26] (Sophos Limited)
S2 swi_update; C:\ProgramData\Sophos\Web Intelligence\swi_update.exe [1498920 2015-05-26] (Sophos Limited)
R2 UNS; C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2066968 2009-07-24] (Intel Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)

===================== Treiber (Nicht auf der Ausnahmeliste) ==========================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)

R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [108448 2015-11-09] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [136728 2015-11-09] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [37352 2015-11-04] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [55912 2015-11-09] (Avira Operations GmbH & Co. KG)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-10-05] (Malwarebytes Corporation)
R1 SAVOnAccess; C:\Windows\System32\DRIVERS\savonaccess.sys [134912 2015-05-26] (Sophos Limited)
R1 scfdriver; C:\Windows\system32\Drivers\scfdriver.sys [88352 2015-05-26] (Sophos Limited)
R1 scfndis; C:\Windows\System32\DRIVERS\scfndis.sys [45856 2015-05-26] (Sophos Limited)
R1 SKMScan; C:\Windows\System32\DRIVERS\skmscan.sys [33408 2015-05-26] (Sophos Limited)
S4 SophosBootDriver; C:\Windows\System32\DRIVERS\SophosBootDriver.sys [23680 2015-05-26] (Sophos Limited)
R1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [31848 2015-11-09] (Avira Operations GmbH & Co. KG)
U3 ufldqpob; \??\C:\Users\ADMINI~1.TA-\AppData\Local\Temp\ufldqpob.sys [X]

==================== NetSvcs (Nicht auf der Ausnahmeliste) ===================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)

==================== Ein Monat: Erstellte Dateien und Ordner ========

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird die Datei/der Ordner verschoben.)

2015-11-09 14:10 - 2015-11-09 14:10 - 00012848 _____ C:\Users\administrator.TA-BARZ\Desktop\FRST.txt
2015-11-09 14:09 - 2015-11-09 14:10 - 00000000 ____D C:\FRST
2015-11-09 14:08 - 2015-11-09 14:08 - 01702400 _____ (Farbar) C:\Users\administrator.TA-BARZ\Desktop\FRST.exe
2015-11-09 13:50 - 2015-11-09 13:50 - 00004689 _____ C:\Users\administrator.TA-BARZ\Desktop\GMER.txt
2015-11-09 13:17 - 2015-11-09 12:56 - 00380416 _____ C:\Users\administrator.TA-BARZ\Desktop\lnuc3qw6.exe
2015-11-09 13:01 - 2015-11-09 13:01 - 00001954 _____ C:\Users\Public\Desktop\Avira Antivirus.lnk
2015-11-09 13:01 - 2015-11-09 13:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2015-11-09 12:56 - 2015-11-09 12:56 - 00380416 _____ C:\Users\buero2.TA-BARZ\Desktop\lnuc3qw6.exe
2015-11-09 12:53 - 2015-11-09 12:53 - 00050477 _____ C:\Users\buero2.TA-BARZ\Downloads\Defogger.exe
2015-11-08 19:16 - 2015-11-08 19:57 - 00000135 _____ C:\VundoFix.txt
2015-11-08 13:28 - 2015-11-08 13:28 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-11-08 13:26 - 2015-11-08 13:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-11-08 13:26 - 2015-11-08 13:26 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-11-08 13:26 - 2015-10-05 09:50 - 00094936 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-11-08 13:26 - 2015-10-05 09:50 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-11-08 13:26 - 2015-10-05 09:50 - 00023256 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2015-11-08 01:06 - 2015-11-08 01:06 - 00001922 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2015-11-08 01:06 - 2015-11-08 01:06 - 00001910 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2015-11-08 01:06 - 2015-11-08 01:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2015-11-08 01:06 - 2013-09-20 10:49 - 00018968 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean.exe
2015-11-07 15:36 - 2015-11-09 13:20 - 00000000 ____D C:\Virenschutz
2015-11-07 15:36 - 2015-11-07 15:36 - 00000000 ____D C:\VundoFix Backups
2015-11-07 15:36 - 2015-11-07 14:54 - 00119808 _____ (Atribune.org) C:\Users\buero2.TA-BARZ\Desktop\VundoFix.exe
2015-11-05 21:27 - 2015-11-09 13:20 - 00000000 ____D C:\Users\administrator.TA-BARZ\AppData\Roaming\Avira
2015-11-05 18:44 - 2015-11-05 18:44 - 00002747 _____ C:\Users\Public\Desktop\Sophos Virus Removal Tool.lnk
2015-11-05 18:34 - 2015-11-05 18:36 - 137414408 _____ (Sophos Limited) C:\Users\buero2.TA-BARZ\Downloads\Sophos Virus Removal Tool.exe
2015-11-05 14:57 - 2015-11-07 00:02 - 00000000 ____D C:\Windows\Minidump
2015-11-03 09:33 - 2015-11-09 13:12 - 00000000 ____D C:\Users\buero2.TA-BARZ\AppData\Roaming\Avira
2015-11-03 08:54 - 2015-11-09 12:58 - 00136728 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2015-11-03 08:54 - 2015-11-09 12:58 - 00108448 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2015-11-03 08:54 - 2015-11-09 12:58 - 00055912 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys
2015-11-03 08:54 - 2015-11-09 12:58 - 00031848 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\ssmdrv.sys
2015-11-03 08:54 - 2015-11-04 22:55 - 00037352 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys
2015-10-16 17:41 - 2015-10-16 17:42 - 00000000 ____D C:\Users\buero2.TA-BARZ\AppData\Local\Mozilla Firefox
2015-10-15 07:41 - 2015-09-18 18:47 - 00023384 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2015-10-15 07:41 - 2015-09-18 18:44 - 01120768 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2015-10-15 07:41 - 2015-09-18 18:44 - 00615936 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2015-10-15 07:41 - 2015-09-18 18:44 - 00587776 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2015-10-15 07:41 - 2015-09-18 18:44 - 00423936 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2015-10-15 07:41 - 2015-09-18 18:44 - 00062976 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2015-10-15 07:41 - 2015-09-18 18:35 - 00999936 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2015-10-14 07:23 - 2015-09-29 04:05 - 03990976 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2015-10-14 07:23 - 2015-09-29 04:05 - 03936192 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-10-14 07:23 - 2015-07-18 14:08 - 00901264 _____ (Microsoft Corporation) C:\Windows\system32\ucrtbase.dll
2015-10-14 07:23 - 2015-07-18 14:08 - 00066400 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-private-l1-1-0.dll
2015-10-14 07:23 - 2015-07-18 14:08 - 00022368 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-math-l1-1-0.dll
2015-10-14 07:23 - 2015-07-18 14:08 - 00019808 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll
2015-10-14 07:23 - 2015-07-18 14:08 - 00017760 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-string-l1-1-0.dll
2015-10-14 07:23 - 2015-07-18 14:08 - 00017760 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-stdio-l1-1-0.dll
2015-10-14 07:23 - 2015-07-18 14:08 - 00016224 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
2015-10-14 07:23 - 2015-07-18 14:08 - 00015712 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-convert-l1-1-0.dll
2015-10-14 07:23 - 2015-07-18 14:08 - 00014176 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-time-l1-1-0.dll
2015-10-14 07:23 - 2015-07-18 14:08 - 00014176 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-2-0.dll
2015-10-14 07:23 - 2015-07-18 14:08 - 00013664 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
2015-10-14 07:23 - 2015-07-18 14:08 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-process-l1-1-0.dll
2015-10-14 07:23 - 2015-07-18 14:08 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-heap-l1-1-0.dll
2015-10-14 07:23 - 2015-07-18 14:08 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-conio-l1-1-0.dll
2015-10-14 07:23 - 2015-07-18 14:08 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-utility-l1-1-0.dll
2015-10-14 07:23 - 2015-07-18 14:08 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-locale-l1-1-0.dll
2015-10-14 07:23 - 2015-07-18 14:08 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-environment-l1-1-0.dll
2015-10-14 07:23 - 2015-07-18 14:08 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-2-0.dll
2015-10-14 07:23 - 2015-07-18 14:08 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
2015-10-14 07:23 - 2015-07-18 14:08 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-eventing-provider-l1-1-0.dll
2015-10-14 07:23 - 2015-07-18 14:08 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l2-1-0.dll
2015-10-14 07:23 - 2015-07-18 14:08 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-timezone-l1-1-0.dll
2015-10-14 07:23 - 2015-07-18 14:08 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l2-1-0.dll
2015-10-14 07:23 - 2015-07-18 14:08 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-2-0.dll
2015-10-14 07:22 - 2015-10-01 18:50 - 00096768 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2015-10-14 07:22 - 2015-10-01 18:50 - 00050688 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2015-10-14 07:22 - 2015-10-01 18:50 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2015-10-14 07:22 - 2015-10-01 18:50 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2015-10-14 07:22 - 2015-10-01 18:50 - 00016896 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2015-10-14 07:22 - 2015-10-01 17:53 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2015-10-14 07:22 - 2015-09-29 04:02 - 01308160 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2015-10-14 07:22 - 2015-09-29 03:59 - 00655360 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2015-10-14 07:22 - 2015-09-29 03:59 - 00552960 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-10-14 07:22 - 2015-09-29 03:59 - 00400896 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-10-14 07:22 - 2015-09-29 03:59 - 00259584 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-10-14 07:22 - 2015-09-29 03:59 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-10-14 07:22 - 2015-09-29 03:59 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-10-14 07:22 - 2015-09-29 03:59 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-10-14 07:22 - 2015-09-29 03:58 - 00262656 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-10-14 07:22 - 2015-09-29 03:58 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2015-10-14 07:22 - 2015-09-29 03:58 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-10-14 07:22 - 2015-09-29 03:58 - 00038912 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2015-10-14 07:22 - 2015-09-29 03:58 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2015-10-14 07:22 - 2015-09-29 03:58 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-10-14 07:22 - 2015-09-29 03:53 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-10-14 07:22 - 2015-09-29 03:53 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-10-14 07:22 - 2015-09-29 03:49 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-10-14 07:22 - 2015-09-29 03:49 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2015-10-14 07:22 - 2015-09-29 02:43 - 00225792 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2015-10-14 07:22 - 2015-09-29 02:43 - 00124416 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2015-10-14 07:22 - 2015-09-29 02:43 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2015-10-14 07:22 - 2015-09-25 18:59 - 02955776 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-10-14 07:22 - 2015-09-25 18:59 - 02061824 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-10-14 07:22 - 2015-09-25 18:59 - 00566784 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2015-10-14 07:22 - 2015-09-25 18:59 - 00174080 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-10-14 07:22 - 2015-09-25 18:59 - 00093696 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2015-10-14 07:22 - 2015-09-25 18:59 - 00035840 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2015-10-14 07:22 - 2015-09-25 18:59 - 00030208 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2015-10-14 07:22 - 2015-09-25 18:58 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-10-14 07:22 - 2015-09-25 18:58 - 00073728 _____ (Microsoft Corporation) C:\Windows\system32\WinSetupUI.dll
2015-10-14 07:22 - 2015-09-25 18:58 - 00035328 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-10-14 07:22 - 2015-09-25 18:58 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\wu.upgrade.ps.dll
2015-10-14 07:22 - 2015-09-18 19:58 - 00345688 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-10-14 07:22 - 2015-09-16 04:58 - 20357632 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-10-14 07:22 - 2015-09-16 04:45 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-10-14 07:22 - 2015-09-16 04:45 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-10-14 07:22 - 2015-09-16 04:33 - 00504832 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-10-14 07:22 - 2015-09-16 04:33 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-10-14 07:22 - 2015-09-16 04:32 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-10-14 07:22 - 2015-09-16 04:32 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-10-14 07:22 - 2015-09-16 04:31 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-10-14 07:22 - 2015-09-16 04:28 - 02279936 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-10-14 07:22 - 2015-09-16 04:26 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-10-14 07:22 - 2015-09-16 04:26 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-10-14 07:22 - 2015-09-16 04:24 - 00480256 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-10-14 07:22 - 2015-09-16 04:23 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-10-14 07:22 - 2015-09-16 04:23 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-10-14 07:22 - 2015-09-16 04:22 - 00663552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-10-14 07:22 - 2015-09-16 04:22 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-10-14 07:22 - 2015-09-16 04:18 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-10-14 07:22 - 2015-09-16 04:15 - 00416256 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-10-14 07:22 - 2015-09-16 04:10 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-10-14 07:22 - 2015-09-16 04:07 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-10-14 07:22 - 2015-09-16 04:06 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-10-14 07:22 - 2015-09-16 04:05 - 04527616 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-10-14 07:22 - 2015-09-16 04:05 - 00279040 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-10-14 07:22 - 2015-09-16 04:04 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2015-10-14 07:22 - 2015-09-16 03:58 - 12853760 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-10-14 07:22 - 2015-09-16 03:58 - 00230400 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2015-10-14 07:22 - 2015-09-16 03:56 - 00689152 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-10-14 07:22 - 2015-09-16 03:56 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-10-14 07:22 - 2015-09-16 03:55 - 02052608 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-10-14 07:22 - 2015-09-16 03:55 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-10-14 07:22 - 2015-09-16 03:37 - 02011136 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-10-14 07:22 - 2015-09-16 03:34 - 01311232 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-10-14 07:22 - 2015-09-16 03:32 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-10-14 07:22 - 2015-09-15 18:42 - 00139096 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-10-14 07:22 - 2015-09-15 18:42 - 00067520 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-10-14 07:22 - 2015-09-15 18:36 - 01061376 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-10-14 07:22 - 2015-09-15 18:36 - 00248832 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-10-14 07:22 - 2015-09-15 18:36 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-10-14 07:22 - 2015-09-15 18:36 - 00100352 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-10-14 07:22 - 2015-09-15 18:36 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-10-14 07:22 - 2015-09-15 18:36 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-10-14 07:22 - 2015-09-15 18:35 - 00022528 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-10-14 07:22 - 2015-08-06 18:44 - 12875776 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2015-10-14 07:22 - 2015-08-06 18:44 - 01498624 _____ (Microsoft Corporation) C:\Windows\system32\ExplorerFrame.dll

==================== Ein Monat: Geänderte Dateien und Ordner ========

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird die Datei/der Ordner verschoben.)

2015-11-09 13:55 - 2010-11-02 06:26 - 02082633 _____ C:\Windows\WindowsUpdate.log
2015-11-09 13:49 - 2014-09-10 10:55 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-11-09 13:27 - 2009-07-14 05:34 - 00016976 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-11-09 13:27 - 2009-07-14 05:34 - 00016976 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-11-09 13:19 - 2015-05-26 09:40 - 00000142 _____ C:\Windows\ODBC.INI
2015-11-09 13:19 - 2009-07-14 05:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-11-09 13:18 - 2009-07-14 05:39 - 00156233 _____ C:\Windows\setupact.log
2015-11-09 13:07 - 2010-11-30 23:59 - 00559472 _____ C:\Windows\PFRO.log
2015-11-09 12:59 - 2013-08-12 10:33 - 00000000 ____D C:\ProgramData\Avira
2015-11-09 01:54 - 2015-02-17 10:32 - 00000000 __SHD C:\Users\administrator.TA-BARZ\AppData\Local\EmieUserList
2015-11-09 01:54 - 2015-02-17 10:32 - 00000000 __SHD C:\Users\administrator.TA-BARZ\AppData\Local\EmieSiteList
2015-11-09 01:54 - 2015-02-17 10:32 - 00000000 __SHD C:\Users\administrator.TA-BARZ\AppData\Local\EmieBrowserModeList
2015-11-08 13:56 - 2013-08-12 10:33 - 00000000 ____D C:\ProgramData\APN
2015-11-08 01:12 - 2015-03-04 18:32 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2015-11-07 16:54 - 2009-07-25 13:54 - 01594028 _____ C:\Windows\system32\PerfStringBackup.INI
2015-11-07 15:36 - 2010-12-13 18:21 - 00000000 ____D C:\Users\buero2.TA-BARZ\AppData\Local\VirtualStore
2015-11-07 11:02 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\Microsoft.NET
2015-11-07 00:02 - 2010-12-01 00:00 - 00180311 ____N C:\Windows\Minidump\110715-21403-01.dmp
2015-11-06 19:12 - 2010-11-30 16:11 - 00000128 _____ C:\Windows\system32\config\netlogon.ftl
2015-11-06 09:57 - 2015-05-26 09:24 - 00000000 ____D C:\ProgramData\Sophos
2015-11-05 18:44 - 2015-05-26 09:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
2015-11-05 18:44 - 2015-05-26 09:24 - 00000000 ____D C:\Program Files\Sophos
2015-11-05 14:57 - 2010-12-01 00:00 - 00180311 ____N C:\Windows\Minidump\110515-28095-01.dmp
2015-11-03 08:54 - 2013-08-12 10:33 - 00000000 ____D C:\Program Files\Avira
2015-11-03 08:51 - 2012-08-15 10:11 - 00000000 ____D C:\Users\administrator.TA-BARZ\AppData\Roaming\TeamViewer
2015-11-03 08:51 - 2010-12-16 11:13 - 00000642 _____ C:\Users\administrator.TA-BARZ\Desktop\myANIWIN.com starten.lnk
2015-11-03 08:50 - 2009-07-14 05:46 - 00001515 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2015-11-03 03:59 - 2014-12-12 11:10 - 00000000 ___HD C:\ProgramData\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}
2015-11-03 00:46 - 2010-11-02 06:30 - 00000000 ____D C:\ProgramData\PDFC
2015-10-29 15:49 - 2014-09-10 10:55 - 00780488 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-10-29 15:49 - 2014-09-10 10:55 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-10-15 18:01 - 2015-04-16 07:31 - 00000000 ____D C:\Windows\system32\appraiser
2015-10-15 18:01 - 2014-04-30 17:04 - 00000000 ___SD C:\Windows\system32\CompatTel
2015-10-15 08:03 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\rescache
2015-10-15 07:29 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\system32\de-DE
2015-10-14 17:14 - 2013-08-14 18:04 - 00000000 ____D C:\Windows\system32\MRT
2015-10-14 17:09 - 2010-12-13 09:59 - 141105520 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-10-12 14:37 - 2015-02-23 10:06 - 00000000 ____D C:\Users\buero2.TA-BARZ\Desktop\Medi
2015-10-12 09:49 - 2012-10-01 16:19 - 00021357 _____ C:\Users\buero2.TA-BARZ\Desktop\Betäubungsmittelkartei-Pol.odt
2015-10-12 08:58 - 2012-09-27 14:48 - 00021801 _____ C:\Users\buero2.TA-BARZ\Desktop\Releasekartei.odt

==================== Dateien im Wurzelverzeichnis einiger Verzeichnisse =======

2015-02-23 11:58 - 2015-02-23 11:58 - 0000017 _____ () C:\Users\administrator.TA-BARZ\AppData\Local\resmon.resmoncfg

Einige Dateien in TEMP:
====================
C:\Users\administrator.TA-BARZ\AppData\Local\Temp\avgnt.exe
C:\Users\buero2.TA-BARZ\AppData\Local\Temp\avgnt.exe

==================== Bamital & volsnap =================

(Es ist kein automatischer Fix für Dateien vorhanden, die an der Verifikation gescheitert sind.)

C:\Windows\explorer.exe => Datei ist digital signiert
C:\Windows\system32\winlogon.exe => Datei ist digital signiert
C:\Windows\system32\wininit.exe => Datei ist digital signiert
C:\Windows\system32\svchost.exe => Datei ist digital signiert
C:\Windows\system32\services.exe => Datei ist digital signiert
C:\Windows\system32\User32.dll => Datei ist digital signiert
C:\Windows\system32\userinit.exe => Datei ist digital signiert
C:\Windows\system32\rpcss.dll => Datei ist digital signiert
C:\Windows\system32\dnsapi.dll => Datei ist digital signiert
C:\Windows\system32\Drivers\volsnap.sys => Datei ist digital signiert

LastRegBack: 2015-11-02 11:15

==================== Ende vom FRST.txt ============================

 

 

Please find attached the logs of:

Sophos

Antivir

FRST

Malwarebytes

 

Thanks in advance for any help.

Regards,

Hein

Attached Files


Edited by hamluis, 09 November 2015 - 08:34 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,930 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:41 PM

Posted 11 November 2015 - 10:11 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===
 

AV: Avira Antivirus (Enabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}
AV: Sophos Anti-Virus (Enabled - Up to date) {6BABF8F7-3EB6-BD1D-9167-8C5ECA060A29}
FW: Sophos Client Firewall (Enabled) {539079D2-74D9-BC45-BA38-256B34D54D52}

Avira and Sophos should not me running simulatneously. It's only slowing down your systesm
Since you have a Sophos Firewall I sugges you disable Avira.

===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
FF Plugin: @microsoft.com/GENUINE -> disabled [Keine Datei]
FF user.js: detected! => C:\Users\administrator.TA-BARZ\AppData\Roaming\Mozilla\Firefox\Profiles\3mhzb9fa.default\user.js [2015-05-26]
U3 ufldqpob; \??\C:\Users\ADMINI~1.TA-\AppData\Local\Temp\ufldqpob.sys [X]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

If the problem persists in the other account please run the Farbar tool in that compromised account.
Post the log for my review.

Edited by nasdaq, 11 November 2015 - 10:11 AM.


#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,930 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:41 PM

Posted 16 November 2015 - 09:48 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,930 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:41 PM

Posted 16 November 2015 - 11:27 AM

This topic has been re-opened at the request of the person who originally posted.

#5 HBARZ

HBARZ
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 16 November 2015 - 07:05 PM

Hello nasdaq,

 

Sophos is still giving out a warning for Vundo, even after running FRST.

Fixlog.txt and AdwCleaner.txt were generated on the admin account, Fixlog User.txt was generated after running FRST on the user account.

 

Best regards!

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,930 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:41 PM

Posted 17 November 2015 - 09:48 AM

Sophos is still giving out a warning for Vundo, even after running FRST.


If the computer is running well I suspect that you have some remnant items that is triggering this message.

Please post the exact error message for my review. It may give me some clues.
===

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
process;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

#7 HBARZ

HBARZ
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 19 November 2015 - 08:47 PM

Hi nasdaq,

 

after running Zoek tool Sophos finally stopped finding the Troj/Vundo-MemA. :)

 

A failure warning (see attached image) seems to be appearing more often than previously after rebooting, but I can't say for sure. Might also be my personal opinion because I rebootet the PC way more often than in the weeks before. Other than that i could not find any unnormal behavior up till now.

 

Thanks for your help!

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,930 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:41 PM

Posted 20 November 2015 - 08:51 AM

Quoted from your log.

"C:\Users\buero2.TA-BARZ\AppData\Roaming\msdeltas.dll" not deleted


It could be some remnant items. Lets check it out.

Please run the Farbar Recovery Scan Tool. Enter msdeltas.dll in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

<<<>>>


Lets look also in the Registry.

Please run the Farbar Recovery Scan Tool. Enter msdeltas.dll in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.

#9 HBARZ

HBARZ
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 23 November 2015 - 11:31 AM

Hi nasdaq,

 

sorry, for taking my time.

The error seems to have disappeared. Anyhow, here are the search logs:
 

 

Farbar Recovery Scan Tool (x86) Version:22-11-2015
durchgeführt von buero2 (2015-11-23 18:00:09)
Gestartet von C:\Users\buero2.TA-BARZ\Desktop
Start-Modus: Normal

================== Datei-Suche: "msdeltas.dll" =============

====== Ende von Suche ======

 

 

Farbar Recovery Scan Tool (x86) Version:22-11-2015
durchgeführt von buero2 (2015-11-23 18:05:14)
Gestartet von C:\Users\buero2.TA-BARZ\Desktop
Start-Modus: Normal

================== Registry-Suche: "msdeltas.dll" ===========

[HKEY_USERS\S-1-5-21-1880281270-951614602-2188419990-1111\Software\Microsoft\Windows\CurrentVersion\Run]
"xnkh"="rundll32 "C:\Users\buero2.TA-BARZ\AppData\Roaming\msdeltas.dll",Qyhsdlrbf"

====== Ende von Suche ======

 

 

Thanks, for your patience



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,930 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:41 PM

Posted 24 November 2015 - 07:31 AM


This will remove the unwanted key in the registry.

Copy the text IN THE CODE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.

Windows Registry Editor Version 5.00

[HKEY_USERS\S-1-5-21-1880281270-951614602-2188419990-1111\Software\Microsoft\Windows\CurrentVersion\Run]
"xnkh"=-

Restart the when completed.

You can delete the fixme.reg file when done.

===


If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,930 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:41 PM

Posted 30 November 2015 - 09:52 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users