TR/ATRAPS.Gen und TR/inject.eigl eingefangen

Katta234

Liebe Forumshelfer,

dies ist, wie bei so vielen anderen, mein erster Eintrag, da ich mit meinem Trojanerproblem einfach nicht mehr weiterkomme. Mein Problem ist unter anderem, dass mein letztes Datenbackup leider schon zwei Wochen her ist und ich aber ein paar Dateien (word, excel, access, und ein paar Bilder) habe, die ich nur sehr sehr ungern verlieren würde.

Ich habe mir gestern morgen den Live Security Platinum Trojaner eingefangen, der von einem Kumpel von mir "entfernt" wurde (jedenfalls sehe ich ihn nicht mehr). Es wurden auch keine Logs erstellt oder andere Informationen dazu aufbewahrt.

Gestern nachmittag ist dann dafür der TR/ATRAPS.Gen aufgetaucht und heute morgen der TR/inject.eigl, die beiden wurden jeweils von Avira Free gefunden.

Ich habe mich jetzt durchs Forum gelesen, soweit ich es konnte die Log dateien erstellt und hoffe nun, dass ich zumindest bis dorthin alles richtig gemacht habe, da ich leider gar keine Ahnung habe.

Außerdem habe ich mir Malwarebyte runtergeladen, durchlaufen lassen und auch eine Log datei erstellt, alles in Quarantäne verschoben aber noch nichts gelöscht. Die Datei befindet sich ganz am Ende dieses Eintrages.

Ich bedanke mich schon mal im Vorraus für Eure Hilfe und hoffe, dass ich mein Problem (vorallem das mit den Daten) irgendwie in den Griff bekomme.

Viele Grüße,
Katta


Der OTL log:


OTL logfile created on: 17.07.2012 08:21:13 - Run 1
OTL by OldTimer - Version 3.2.54.0 Folder = C:\Users\sun\Desktop
Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

2,99 Gb Total Physical Memory | 2,11 Gb Available Physical Memory | 70,50% Memory free
5,98 Gb Paging File | 4,74 Gb Available in Paging File | 79,26% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 100,01 Gb Total Space | 54,39 Gb Free Space | 54,38% Space Free | Partition Type: NTFS
Drive D: | 365,65 Gb Total Space | 118,71 Gb Free Space | 32,47% Space Free | Partition Type: NTFS

Computer Name: STERNCHEN | User Name: sun | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012.07.17 08:08:15 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\sun\Desktop\OTL.exe
PRC - [2012.07.17 08:08:03 | 000,050,477 | ---- | M] () -- C:\Users\sun\Desktop\Defogger.exe
PRC - [2012.07.03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012.07.03 13:46:44 | 000,462,920 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012.05.24 20:39:22 | 027,112,840 | ---- | M] (Dropbox, Inc.) -- C:\Users\sun\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2012.05.08 10:27:26 | 000,348,624 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe
PRC - [2012.05.08 10:27:26 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe
PRC - [2012.05.08 10:27:26 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\sched.exe
PRC - [2012.05.08 10:27:26 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe
PRC - [2012.01.19 11:06:50 | 000,032,256 | ---- | M] () -- C:\Programme\Hardcopy\hcdll2_ex_Win32.exe
PRC - [2011.06.24 06:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2011.06.06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011.03.28 21:31:16 | 000,193,920 | ---- | M] (Microsoft Corp.) -- C:\Programme\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
PRC - [2011.03.28 21:31:14 | 001,713,536 | ---- | M] (Microsoft Corp.) -- C:\Programme\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
PRC - [2011.03.24 00:35:05 | 000,519,632 | ---- | M] (Cisco Systems, Inc.) -- C:\Programme\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
PRC - [2011.03.24 00:34:18 | 000,435,152 | ---- | M] (Cisco Systems, Inc.) -- C:\Programme\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
PRC - [2011.02.25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010.11.20 14:17:56 | 001,121,792 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe
PRC - [2010.11.20 14:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010.01.09 21:37:50 | 004,640,000 | ---- | M] (Microsoft Corporation) -- C:\Programme\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
PRC - [2009.09.24 19:47:46 | 000,834,560 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Programme\Samsung\Easy Display Manager\dmhkcore.exe
PRC - [2009.03.03 13:45:11 | 000,296,400 | ---- | M] () -- C:\Programme\Verbindungsassistent\WTGService.exe
PRC - [2003.08.28 14:11:17 | 000,664,064 | ---- | M] (mysoft hxxp://www.mysoft.de) -- C:\Programme\Winexit\Winexit.exe


========== Modules (No Company Name) ==========

MOD - [2012.07.17 08:08:03 | 000,050,477 | ---- | M] () -- C:\Users\sun\Desktop\Defogger.exe
MOD - [2012.01.19 11:06:50 | 000,032,256 | ---- | M] () -- C:\Programme\Hardcopy\hcdll2_ex_Win32.exe
MOD - [2012.01.09 20:44:20 | 000,166,912 | ---- | M] () -- C:\Programme\WinRAR\RarExt.dll
MOD - [2012.01.07 10:54:16 | 000,047,616 | ---- | M] () -- C:\Programme\Hardcopy\hardcopy_04.dll
MOD - [2011.05.26 13:42:00 | 000,067,872 | ---- | M] () -- C:\Programme\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011.03.17 00:11:16 | 004,297,568 | ---- | M] () -- C:\Programme\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
MOD - [2006.08.12 12:48:40 | 000,049,152 | ---- | M] () -- C:\Programme\Samsung\Easy Display Manager\HookDllPS2.dll
MOD - [2002.04.22 04:15:02 | 000,139,264 | ---- | M] () -- C:\Programme\Common Files\Adobe\Shell\psicon.dll


========== Win32 Services (SafeList) ==========

SRV - [2012.07.03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012.06.19 12:23:19 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012.05.08 10:27:26 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2012.05.08 10:27:26 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012.02.29 08:50:48 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Programme\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2011.08.11 09:29:01 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2011.06.12 11:15:00 | 031,125,880 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)
SRV - [2011.06.06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011.03.28 21:31:14 | 001,713,536 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\Programme\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2011.03.24 00:34:18 | 000,435,152 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Programme\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe -- (vpnagent)
SRV - [2010.11.20 14:17:56 | 001,121,792 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc)
SRV - [2010.01.09 21:37:50 | 004,640,000 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Programme\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE -- (osppsvc)
SRV - [2010.01.09 21:18:00 | 000,149,352 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose)
SRV - [2009.07.14 03:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009.07.14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009.07.14 03:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009.07.14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009.03.03 13:45:11 | 000,296,400 | ---- | M] () [Auto | Running] -- C:\Programme\Verbindungsassistent\WTGService.exe -- (WTGService)


========== Driver Services (SafeList) ==========

DRV - [2012.07.03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012.05.08 10:27:26 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2012.05.08 10:27:26 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2012.04.05 11:05:19 | 000,045,136 | ---- | M] (MARX CryptoTech LP) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CBUSB.sys -- (CBUSB)
DRV - [2011.09.16 16:08:07 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2011.03.24 00:25:38 | 000,019,680 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vpnva.sys -- (vpnva)
DRV - [2011.03.24 00:25:14 | 000,077,968 | R--- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\acsock.sys -- (acsock)
DRV - [2010.11.20 14:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
DRV - [2010.11.20 14:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010.11.20 14:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
DRV - [2010.11.20 12:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010.11.20 11:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010.11.20 11:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010.11.20 11:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
DRV - [2009.12.07 20:53:18 | 000,103,168 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2009.12.07 20:36:48 | 000,201,168 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbnet.sys -- (ewusbnet)
DRV - [2009.10.12 16:22:56 | 000,101,120 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbdev.sys -- (hwusbdev)
DRV - [2009.10.08 16:55:33 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009.07.14 00:13:48 | 001,035,776 | ---- | M] (LSI Corp) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2009.07.14 00:02:53 | 000,311,296 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\yk62x86.sys -- (yukonw7)
DRV - [2009.07.14 00:02:51 | 004,231,168 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netw5v32.sys -- (netw5v32) Intel(R)
DRV - [2006.11.14 17:35:20 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2006.11.14 09:11:54 | 000,013,312 | ---- | M] (SAMSUNG ELECTRONICS CO., LTD.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\KMDFMEMIO.sys -- (KMDFMEMIO)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = hxxp://start.facemoods.com/?a=ddrnw&s={searchTerms}&f=4
IE - HKLM\..\URLSearchHook: {fc2b76fc-2132-4d80-a9a3-1f5c6e49066b} - C:\Programme\ZoneAlarm-Sicherheit\prxtbZone.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2613550

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
IE - HKCU\..\URLSearchHook: {fc2b76fc-2132-4d80-a9a3-1f5c6e49066b} - C:\Programme\ZoneAlarm-Sicherheit\prxtbZone.dll (Conduit Ltd.)
IE - HKCU\..\SearchScopes,DefaultScope = {0D7562AE-8EF6-416d-A838-AB665251703A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{0D7562AE-8EF6-416d-A838-AB665251703A}: "URL" = hxxp://start.facemoods.com/?a=ddrnw&s={searchTerms}&f=4
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Wikipedia (de)"
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.startup.homepage: "www.google.de"
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{8AA36F4F-6DC7-4c06-77AF-5035170634FE}: C:\ProgramData\Swiss Academic Software\Citavi Picker\Firefox [2012.06.13 11:11:56 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.06.19 12:23:20 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.06.19 12:23:20 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2012.03.05 19:32:54 | 000,000,000 | ---D | M] (No name found) -- C:\Users\sun\AppData\Roaming\mozilla\Extensions
[2012.07.15 21:14:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\sun\AppData\Roaming\mozilla\Firefox\Profiles\fxzw28sw.default\extensions
[2012.07.15 21:14:39 | 000,000,000 | ---D | M] (ZoneAlarm-Sicherheit Community Toolbar) -- C:\Users\sun\AppData\Roaming\mozilla\Firefox\Profiles\fxzw28sw.default\extensions\{fc2b76fc-2132-4d80-a9a3-1f5c6e49066b}
[2012.03.05 19:32:41 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions
[2012.06.13 11:11:56 | 000,000,000 | ---D | M] (Citavi Picker) -- C:\PROGRAMDATA\SWISS ACADEMIC SOFTWARE\CITAVI PICKER\FIREFOX
[2012.06.19 12:23:20 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012.02.16 13:02:53 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.02.16 12:48:01 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012.02.16 13:02:53 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2012.02.16 13:02:53 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.02.16 13:02:53 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.02.16 13:02:53 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2009.06.10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programme\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Programme\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (ZoneAlarm-Sicherheit Toolbar) - {fc2b76fc-2132-4d80-a9a3-1f5c6e49066b} - C:\Program Files\ZoneAlarm-Sicherheit\prxtbZone.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (ZoneAlarm-Sicherheit Toolbar) - {fc2b76fc-2132-4d80-a9a3-1f5c6e49066b} - C:\Programme\ZoneAlarm-Sicherheit\prxtbZone.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm-Sicherheit Toolbar) - {FC2B76FC-2132-4D80-A9A3-1F5C6E49066B} - C:\Programme\ZoneAlarm-Sicherheit\prxtbZone.dll (Conduit Ltd.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [BCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe (Cisco Systems, Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\Windows\System32\Macromed\Flash\FlashUtil10v_Plugin.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Users\sun\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\sun\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O8 - Extra context menu item: An OneNote s&enden - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O8 - Extra context menu item: Nach Microsoft E&xcel exportieren - C:\Programme\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: ICQ7.6 - {7644E42D-B096-457F-8B5B-901238FC81AE} - C:\Programme\ICQ7.6\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ7.6 - {7644E42D-B096-457F-8B5B-901238FC81AE} - C:\Programme\ICQ7.6\ICQ.exe (ICQ, LLC.)
O9 - Extra Button: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programme\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programme\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Programme\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000010 [] - C:\Programme\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.32.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3A15A78E-A3A0-4389-8329-5DC711723F98}: NameServer = 134.130.4.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8903B5AA-1CFC-4395-8A42-F613EA701BFF}: DhcpNameServer = 192.168.32.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{99FBA9C1-6FFE-4F15-8146-EF6B2073C7AC}: DhcpNameServer = 212.23.97.2 212.23.97.3
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Programme\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807573E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Programme\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{345ba5c2-8ab0-11e1-9f8c-001fe1f37047}\Shell - "" = AutoRun
O33 - MountPoints2\{345ba5c2-8ab0-11e1-9f8c-001fe1f37047}\Shell\AutoRun\command - "" = G:\AutoRun.exe
O33 - MountPoints2\{f20797f4-7017-11e1-8a3d-001fe1f37047}\Shell - "" = AutoRun
O33 - MountPoints2\{f20797f4-7017-11e1-8a3d-001fe1f37047}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{f2079801-7017-11e1-8a3d-001fe1f37047}\Shell - "" = AutoRun
O33 - MountPoints2\{f2079801-7017-11e1-8a3d-001fe1f37047}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{f2079814-7017-11e1-8a3d-001fe1f37047}\Shell - "" = AutoRun
O33 - MountPoints2\{f2079814-7017-11e1-8a3d-001fe1f37047}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{f2079819-7017-11e1-8a3d-001fe1f37047}\Shell - "" = AutoRun
O33 - MountPoints2\{f2079819-7017-11e1-8a3d-001fe1f37047}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{fcc9ac5f-7586-11e1-8bf9-001fe1f37047}\Shell - "" = AutoRun
O33 - MountPoints2\{fcc9ac5f-7586-11e1-8bf9-001fe1f37047}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{fcc9ac62-7586-11e1-8bf9-001fe1f37047}\Shell - "" = AutoRun
O33 - MountPoints2\{fcc9ac62-7586-11e1-8bf9-001fe1f37047}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\AutoRun.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012.07.17 08:08:09 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\sun\Desktop\OTL.exe
[2012.07.16 11:16:01 | 000,000,000 | ---D | C] -- C:\Users\sun\AppData\Roaming\Malwarebytes
[2012.07.16 11:15:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012.07.16 11:15:58 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012.07.16 11:15:58 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012.07.16 11:15:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012.07.16 09:03:16 | 000,000,000 | ---D | C] -- C:\Users\sun\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum
[2012.07.16 08:59:26 | 000,000,000 | ---D | C] -- C:\ProgramData\036DFF980001705EEF6A5F3AF875EF7E
[2012.07.09 08:27:53 | 000,000,000 | R--D | C] -- C:\Users\sun\Desktop\Onleihe
[2012.06.27 15:15:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hardcopy
[2012.06.27 15:15:09 | 000,000,000 | ---D | C] -- C:\Program Files\Hardcopy
[2012.06.27 15:14:26 | 001,703,936 | ---- | C] (www.sw4you.de Siegfried Weckmann) -- C:\Windows\SwSetupu.exe
[2004.01.12 00:00:00 | 000,348,160 | ---- | C] (Microsoft Corporation) -- C:\Program Files\msvcr71.dll

========== Files - Modified Within 30 Days ==========

[2012.07.17 08:13:53 | 000,000,000 | ---- | M] () -- C:\Users\sun\defogger_reenable
[2012.07.17 08:08:15 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\sun\Desktop\OTL.exe
[2012.07.17 08:08:03 | 000,050,477 | ---- | M] () -- C:\Users\sun\Desktop\Defogger.exe
[2012.07.17 07:48:37 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.07.16 13:49:55 | 000,620,290 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012.07.16 13:49:54 | 000,668,778 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2012.07.16 13:49:54 | 000,134,562 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2012.07.16 13:49:54 | 000,110,478 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012.07.16 13:48:13 | 000,015,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.07.16 13:48:13 | 000,015,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.07.16 13:40:43 | 2408,390,656 | -HS- | M] () -- C:\hiberfil.sys
[2012.07.16 12:22:13 | 000,001,071 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012.07.12 01:20:47 | 000,421,808 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012.07.11 22:50:52 | 137,629,807 | ---- | M] () -- C:\Users\sun\Desktop\01-die_drei_fragezeichen--f154_botschaft_aus_der_unterwelt-oma.mp3
[2012.07.04 16:36:40 | 000,352,256 | ---- | M] () -- C:\Users\sun\Documents\Database1.accdb
[2012.07.03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012.06.25 16:16:26 | 000,000,000 | -H-- | M] () -- C:\Users\sun\Documents\Default.rdp

========== Files Created - No Company Name ==========

[2012.07.17 08:13:53 | 000,000,000 | ---- | C] () -- C:\Users\sun\defogger_reenable
[2012.07.17 08:08:00 | 000,050,477 | ---- | C] () -- C:\Users\sun\Desktop\Defogger.exe
[2012.07.16 11:15:59 | 000,001,071 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012.07.12 11:56:35 | 137,629,807 | ---- | C] () -- C:\Users\sun\Desktop\01-die_drei_fragezeichen--f154_botschaft_aus_der_unterwelt-oma.mp3
[2012.07.04 16:33:19 | 000,352,256 | ---- | C] () -- C:\Users\sun\Documents\Database1.accdb
[2012.06.25 16:16:26 | 000,000,000 | -H-- | C] () -- C:\Users\sun\Documents\Default.rdp
[2012.03.05 19:28:01 | 000,001,213 | ---- | C] () -- C:\Users\sun\ia_remove.sh
[2012.01.11 10:31:43 | 000,002,048 | -HS- | C] () -- C:\Users\sun\AppData\Local\{0eff2cb0-66a4-c2f5-ecf1-5c11cb76412d}\@
[2011.10.30 10:45:25 | 000,116,224 | ---- | C] () -- C:\Windows\System32\pdfcmnnt.dll
[2011.09.14 09:40:23 | 000,000,008 | ---- | C] () -- C:\Windows\System32\PROTOCOL.INI
[2011.08.12 11:03:54 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2011.07.31 23:32:30 | 000,140,288 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll

========== LOP Check ==========

[2012.03.23 09:24:42 | 000,032,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >



Der EXTRAS.log



OTL Extras logfile created on: 17.07.2012 08:21:13 - Run 1
OTL by OldTimer - Version 3.2.54.0 Folder = C:\Users\sun\Desktop
Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

2,99 Gb Total Physical Memory | 2,11 Gb Available Physical Memory | 70,50% Memory free
5,98 Gb Paging File | 4,74 Gb Available in Paging File | 79,26% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 100,01 Gb Total Space | 54,39 Gb Free Space | 54,38% Space Free | Partition Type: NTFS
Drive D: | 365,65 Gb Total Space | 118,71 Gb Free Space | 32,47% Space Free | Partition Type: NTFS

Computer Name: STERNCHEN | User Name: sun | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0
"AntiVirusDisableNotify" = 1
"AntiVirusOverride" = 1
"FirewallDisableNotify" = 1
"FirewallOverride" = 1
"UpdatesDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{02B75632-552D-444C-92BF-875D6FC62E11}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{1726EFA1-348B-4317-9784-CFC1C015C17D}" = rport=137 | protocol=17 | dir=out | app=system |
"{17754DA2-02CC-4961-B4CF-117AD61E2B08}" = lport=2869 | protocol=6 | dir=in | app=system |
"{38043C39-CEAB-4F5E-9D56-132E1A6387E7}" = lport=10243 | protocol=6 | dir=in | app=system |
"{3BD55B95-8A33-453C-8F79-F0C724D8D207}" = lport=138 | protocol=17 | dir=in | app=system |
"{45F68F2E-743B-40A0-8DC0-7AD00D89E498}" = lport=445 | protocol=6 | dir=in | app=system |
"{48C00818-D7B3-47A1-879C-84B9DC2DF8F7}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{4A68FEFE-5BF9-4752-A706-735A3C86FA1B}" = rport=138 | protocol=17 | dir=out | app=system |
"{5595D50F-D891-47F7-8CBA-EE0B332FBDA7}" = lport=137 | protocol=17 | dir=in | app=system |
"{5F339147-B88E-46F8-AF02-F097E1DB4E7E}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{60D6E371-5BE5-46D3-838A-9C5E983443E6}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{81403E13-09FC-4FAD-A426-313371FA31B5}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{90E71B83-1B43-44D2-9B8F-98081D664853}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{926AB2B6-B891-427B-8F61-D1EE4091ED24}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{A641BE3F-3040-4E99-954A-9803347B08E4}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
"{B22B9D2E-50C7-45DA-BBCF-395F5454153E}" = rport=445 | protocol=6 | dir=out | app=system |
"{B476418A-257D-4377-986B-C514ABAC624E}" = lport=139 | protocol=6 | dir=in | app=system |
"{BA5F5652-0636-4580-BB18-1908C09DB196}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{C2D1ED44-388C-42C2-8701-5DEEDF6C510A}" = rport=10243 | protocol=6 | dir=out | app=system |
"{DCF6F32D-FA23-4C6E-A8D5-0BE0D819F680}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office14\outlook.exe |
"{E03D27E4-1765-4564-8B40-D96D5BB1C1E0}" = rport=139 | protocol=6 | dir=out | app=system |
"{E38FDD73-B6F6-4C44-858A-944C825286A1}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{F5B16235-C3E9-4F0B-A61F-70BFB26026F8}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{F7B79769-4E2E-4D69-8DB9-9EEDD469D6D0}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0316E654-FD85-439A-984B-C8CBA674237C}" = dir=in | app=c:\program files\commodas\pact\scs-tools\scslutmon.exe |
"{07D475CC-ECA3-49AE-B973-8F20E4BC9F93}" = dir=out | app=c:\program files\commodas\common\msortpictureviewer.exe |
"{0E4ACF7A-7344-41FC-A310-C7378C0EB9EC}" = protocol=17 | dir=in | app=c:\program files\icq7.6\icq.exe |
"{12E9AF2C-1FF9-4058-A291-F33CA1A7F385}" = protocol=17 | dir=in | app=c:\program files\opera\opera.exe |
"{1AB33577-94E2-4603-A986-A3EA9D37ECD1}" = dir=out | app=c:\program files\commodas\pact\scs-tools\dnobrowser.exe |
"{20E7E1BB-E354-4FB4-80CA-D8BB2DAB1B4A}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office14\groove.exe |
"{2D3900B9-0EAD-4BB7-B094-BB72D0BC5A90}" = dir=in | app=c:\program files\commodas\pact\bin\scs_hpcp.exe |
"{3CF4F42A-3D71-46C3-AE0B-1D0BF3BCEC54}" = dir=out | app=c:\program files\commodas\pact\bin\scscoreprocess2.exe |
"{43AD16E6-D739-460E-9270-8CB5E2FEF21D}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office14\onenote.exe |
"{46371C77-FFC1-4776-9E3A-2AA93E49D0E1}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{4AE28830-EFE6-49DD-AE5A-13B195ED16CA}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office14\onenote.exe |
"{4B376A4C-E7B8-4DB2-9033-4B4F536EB0DF}" = dir=in | app=c:\program files\commodas\common\cdspictureviewer.exe |
"{4BE398C0-437A-442E-BD30-5E0C1CDBFAE1}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{5033ABB5-0CCB-4ED8-B582-6D266D060D4D}" = dir=out | app=c:\program files\commodas\pact\scs-tools\scslutmon.exe |
"{5737FBD2-0645-48D8-A727-E0093A4BE916}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{5DE879FB-F551-4C2B-A91A-D281CD340129}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{60C3DE9D-7721-446E-BB85-878F281CA06A}" = dir=in | app=c:\program files\commodas\pact\bin\scs_cpp.exe |
"{62559A4D-D489-41F0-9435-D6E0E6B6EE08}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{65AD2147-E633-4801-94AB-A7A076571ADE}" = dir=out | app=c:\program files\commodas\pact\bin\pact.exe |
"{6788AC13-1D3C-4CD9-9F6A-B7D599065654}" = dir=out | app=c:\program files\commodas\pact\scs-tools\scstrace.exe |
"{85706C04-8D65-4777-A6C3-9FA1086805E8}" = dir=out | app=c:\program files\commodas\common\cdspictureviewer.exe |
"{88316BC5-84C9-4945-9FCF-809C946BCEE2}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{88818AFE-44DC-44D2-9BE7-C6B691D8D071}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{8B0F740E-9BD4-4810-9122-C1EF371FCAD0}" = protocol=6 | dir=in | app=c:\program files\icq7.6\icq.exe |
"{8C4FF6B0-0CE7-413B-A005-D1DD7E887DB7}" = protocol=17 | dir=in | app=c:\program files\icq7.6\icq.exe |
"{90723C8F-F67D-4076-B769-602A752F9B8A}" = dir=in | app=c:\program files\commodas\pact\bin\pact.exe |
"{90E5B037-0C39-4780-836E-262EDC912D17}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{91A6FE1B-497A-42D8-A2A1-EE5814D76D76}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{99227126-4AAC-4A00-AE85-787E12A759D4}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office14\groove.exe |
"{9B56BD87-CA6F-4A51-B757-CD85A8A69286}" = dir=in | app=c:\program files\commodas\common\msortpictureviewer.exe |
"{A31433ED-2DF5-4E7A-B1DB-5979382400D5}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{A44139F6-031B-4049-83D8-7E2A7704AEF7}" = dir=in | app=c:\program files\commodas\pact\scs-tools\scstrace.exe |
"{A5BF5975-A251-4BEF-AEF4-00BAA91A1741}" = protocol=17 | dir=in | app=c:\program files\icq7.6\icq.exe |
"{A5F5299B-C251-4752-B5F6-D0A986C27ECD}" = protocol=6 | dir=in | app=c:\program files\opera\opera.exe |
"{A887CE91-5817-4773-804B-065DD483AD00}" = dir=out | app=c:\program files\commodas\pact\bin\scs_hpcp.exe |
"{B5442022-CCF7-43E9-82A9-92D913DE9F0A}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{B7AB948C-6E86-4243-802C-EC45F2647143}" = dir=in | app=c:\program files\commodas\pact\scs-tools\dnobrowser.exe |
"{B89F4162-B4E8-4A47-83E1-054F41D24A13}" = protocol=6 | dir=out | app=system |
"{BCA32B67-12D7-49A7-BF03-6B5ABAC61AC3}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{BCA711F7-1028-46BA-AA89-7D41FF663AC6}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{C9F56BF4-9968-4660-AE01-02C4BB3D63EB}" = dir=in | app=c:\program files\itunes\itunes.exe |
"{D68FE5A5-B526-4049-87D9-0F1E2E8A233C}" = protocol=6 | dir=in | app=c:\program files\icq7.6\icq.exe |
"{DC21E9FF-D08B-4127-A8AF-1082D284BC6F}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{E04D48DB-401B-40FB-B4EB-8FFB585E3B68}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{EF2548D2-E063-445D-9AA8-08B715BBA28A}" = dir=out | app=c:\program files\commodas\pact\bin\scs_cpp.exe |
"{EF7F6A62-7F1E-44C1-81B8-AC843CA0B06E}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{F6635F11-63E1-4912-B7F0-BD90EFF3AE33}" = dir=in | app=c:\program files\commodas\pact\bin\scscoreprocess2.exe |
"{F711AE1E-B536-400E-B738-D511B3F22D49}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{F73FC86E-85DB-4247-80BA-C1B9F2970FB3}" = protocol=6 | dir=in | app=c:\program files\icq7.6\icq.exe |
"{F8B3AD0B-8338-4A99-BB8F-F423B7E5225C}" = dir=out | app=c:\program files\commodas\pact\scs-tools\dnoconfiguration.exe |
"{FBA19600-0679-47FF-9B5D-E0E2559A3B0D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{FD720902-6676-4ADF-A90A-9E638B494838}" = dir=in | app=c:\program files\commodas\pact\scs-tools\dnoconfiguration.exe |
"{FF373DFC-8D36-4872-821D-698E8657979E}" = dir=in | app=c:\program files\windows live\contacts\wlcomm.exe |
"TCP Query User{4DC750A9-164B-4A7C-8E50-9DBCC24FE897}C:\users\sun\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=6 | dir=in | app=c:\users\sun\appdata\roaming\dropbox\bin\dropbox.exe |
"TCP Query User{94C6032A-9DF5-4997-8035-F7BBE6BC8679}C:\program files\java\jre6\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files\java\jre6\bin\javaw.exe |
"TCP Query User{A6A60C1B-EA28-4DC3-B919-4E760C23C024}C:\program files\malwarebytes' anti-malware\mbam.exe" = protocol=6 | dir=in | app=c:\program files\malwarebytes' anti-malware\mbam.exe |
"TCP Query User{AF38D8BA-E94E-485B-A1E6-776AABFA5BC4}C:\totalcmd\totalcmd.exe" = protocol=6 | dir=in | app=c:\totalcmd\totalcmd.exe |
"TCP Query User{D7EB65E0-370C-4C62-9F23-7A0DA928AAAC}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
"TCP Query User{E48BF945-B411-4989-B2C0-42D23C32EFD7}C:\users\sun\appdata\local\temp\teamviewer\version7\teamviewer.exe" = protocol=6 | dir=in | app=c:\users\sun\appdata\local\temp\teamviewer\version7\teamviewer.exe |
"TCP Query User{FB12ACED-A576-42A7-BA4D-3420F181F86A}C:\users\sun\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=6 | dir=in | app=c:\users\sun\appdata\roaming\dropbox\bin\dropbox.exe |
"UDP Query User{14E1A97D-DEA7-4E2A-B7CC-5F66B1E4FE69}C:\users\sun\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=17 | dir=in | app=c:\users\sun\appdata\roaming\dropbox\bin\dropbox.exe |
"UDP Query User{3BB76782-01BD-4D30-BBCD-FB3B018C083D}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |
"UDP Query User{7E73D919-1230-48C5-886E-13FC27E2FC9A}C:\totalcmd\totalcmd.exe" = protocol=17 | dir=in | app=c:\totalcmd\totalcmd.exe |
"UDP Query User{93A656B7-05E6-4B21-813C-DEA6A11C4D49}C:\users\sun\appdata\local\temp\teamviewer\version7\teamviewer.exe" = protocol=17 | dir=in | app=c:\users\sun\appdata\local\temp\teamviewer\version7\teamviewer.exe |
"UDP Query User{BAA6282F-960C-4F0F-AAA5-E2FEBEBDA9C8}C:\users\sun\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=17 | dir=in | app=c:\users\sun\appdata\roaming\dropbox\bin\dropbox.exe |
"UDP Query User{C8144B34-E267-4F1D-8916-775D415D890A}C:\program files\java\jre6\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files\java\jre6\bin\javaw.exe |
"UDP Query User{F3EEF793-9D94-44E0-88EC-AE6FF32E4D1A}C:\program files\malwarebytes' anti-malware\mbam.exe" = protocol=17 | dir=in | app=c:\program files\malwarebytes' anti-malware\mbam.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{17283B95-21A8-4996-97DA-547A48DB266F}" = Easy Display Manager
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
"{3019D6C0-60B0-41BE-B0FA-BB85B1F00BC3}" = PACT
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{37B33B16-2535-49E7-8990-32668708A0A3}" = Windows Live UX Platform Language Pack
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{529125EF-E3AC-4B74-97E6-F688A7C0F1BF}" = Paint.NET v3.5.10
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5B1F04DA-0F27-45B7-96F2-37190D5E11AE}" = Cisco AnyConnect Secure Mobility Client
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{7644E42D-B096-457F-8B5B-901238FC81AE}" = ICQ7.6
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90140000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2010
"{90140000-0015-0407-0000-0000000FF1CE}_Office14.PROPLUSR_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2010
"{90140000-0016-0407-0000-0000000FF1CE}_Office14.PROPLUSR_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2010
"{90140000-0018-0407-0000-0000000FF1CE}_Office14.PROPLUSR_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2010
"{90140000-0019-0407-0000-0000000FF1CE}_Office14.PROPLUSR_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2010
"{90140000-001A-0407-0000-0000000FF1CE}_Office14.PROPLUSR_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2010
"{90140000-001B-0407-0000-0000000FF1CE}_Office14.PROPLUSR_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2010
"{90140000-001F-0407-0000-0000000FF1CE}_Office14.PROPLUSR_{65A2328E-FDFB-4CA3-8582-357EA6825FEA}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUSR_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2010
"{90140000-001F-0410-0000-0000000FF1CE}_Office14.PROPLUSR_{C0743197-FFEE-4C19-BAEB-8F7437DC4C8A}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2010
"{90140000-002C-0407-0000-0000000FF1CE}_Office14.PROPLUSR_{4275FB46-ABDF-4456-876C-17CF64294D9A}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0044-0407-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2010
"{90140000-0044-0407-0000-0000000FF1CE}_Office14.PROPLUSR_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2010
"{90140000-006E-0407-0000-0000000FF1CE}_Office14.PROPLUSR_{98EDFD9F-EA76-40CC-BCE9-92C69413F65B}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2010
"{90140000-00A1-0407-0000-0000000FF1CE}_Office14.PROPLUSR_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00BA-0407-0000-0000000FF1CE}" = Microsoft Office Groove MUI (German) 2010
"{90140000-00BA-0407-0000-0000000FF1CE}_Office14.PROPLUSR_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{91140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.0) - Deutsch
"{B113D18C-67B0-4FB7-B329-E89B66194AE6}" = Windows Live Fotogalerie
"{B15B400A-19ED-4CC7-B3E4-9295D8470CBE}" = Secure Download Manager
"{B3575D00-27EF-49C2-B9E0-14B3D954E992}" = Apple Application Support
"{C23CD6DA-1958-43A5-ADD0-59396572E02E}" = Apple Mobile Device Support
"{C2AB7DC4-489E-4BE9-887A-52262FBADBE0}" = Windows Live Photo Common
"{C6150D8A-86ED-41D3-87BB-F3BB51B0B77F}" = Windows Live ID Sign-in Assistant
"{C73CA646-73B3-4AEF-A136-C37505745174}" = iTunes
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D03482C5-9AD8-496D-B388-692AE04C93AF}" = Bonjour
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{D99D18FD-0F3C-46E3-997C-414586DBBBDE}" = MODSIM 3.6.12 Student
"{DBA476A6-BB9A-47B3-ACAA-E56996BCA5A7}" = XRayConfigurator
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E12C6653-1FF0-4686-ADB8-589C13AE761F}" = Citavi
"{E4E88B54-4777-4659-967A-2EED1E6AFD83}" = Windows Live Movie Maker
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.8
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{F95E4EE0-0C6E-4273-B6B9-91FD6F071D76}" = Windows Live Essentials
"5513-1208-7298-9440" = JDownloader 0.9
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Amazon MP3-Downloader" = Amazon MP3-Downloader 1.0.9
"Audacity_is1" = Audacity 2.0
"Avira AntiVir Desktop" = Avira Free Antivirus
"Cisco AnyConnect Secure Mobility Client" = Cisco AnyConnect Secure Mobility Client
"Hardcopy(C__Program Files_Hardcopy)" = Hardcopy (C:\Program Files\Hardcopy)
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"LAME_is1" = LAME v3.99.3 (for Windows)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.62.0.1300
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Mobile Partner" = Mobile Partner
"Mozilla Firefox 13.0.1 (x86 de)" = Mozilla Firefox 13.0.1 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Office14.PROPLUSR" = Microsoft Office Professional Plus 2010
"Stonekeep_is1" = Stonekeep
"Totalcmd" = Total Commander (Remove or Repair)
"Tuned!" = Tuned!
"TVWiz" = Intel(R) TV Wizard
"Verbindungsassistent" = Verbindungsassistent
"VLC media player" = VLC media player 1.1.11
"Winexit_is1" = Winexit 3.5
"WinGimp-2.0_is1" = GIMP 2.6.11
"WinLiveSuite" = Windows Live Essentials
"WinRAR archiver" = WinRAR 4.10 (32-Bit)
"YTdetect" = Yahoo! Detect

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 16.07.2012 06:20:52 | Computer Name = Sternchen | Source = Microsoft-Windows-LoadPerf | ID = 3001
Description = Die Namenszeichenfolgenwert für den Leistungsindikator in der Registrierung
ist falsch formatiert. Die falsch formatierte Zeichenfolge ist "9716". Das erste
DWORD im Datenbereich enthält den Indexwert für die falsch formatierte Zeichenfolge,
während das zweite und dritte DWORD im Datenbereich die letzten gültigen Indexwerte
enthalten.

Error - 16.07.2012 06:20:52 | Computer Name = Sternchen | Source = Microsoft-Windows-LoadPerf | ID = 3001
Description = Die Namenszeichenfolgenwert für den Leistungsindikator in der Registrierung
ist falsch formatiert. Die falsch formatierte Zeichenfolge ist "9716". Das erste
DWORD im Datenbereich enthält den Indexwert für die falsch formatierte Zeichenfolge,
während das zweite und dritte DWORD im Datenbereich die letzten gültigen Indexwerte
enthalten.

Error - 16.07.2012 06:20:52 | Computer Name = Sternchen | Source = Microsoft-Windows-LoadPerf | ID = 3011
Description = Fehler beim Herunterladen der Zeichenfolgen der Leistungsindikatoren
für Dienst "WmiApRpl" (WmiApRpl). Der Fehlercode ist das erste DWORD im Datenbereich.

Error - 16.07.2012 06:20:55 | Computer Name = Sternchen | Source = Microsoft-Windows-LoadPerf | ID = 3001
Description = Die Namenszeichenfolgenwert für den Leistungsindikator in der Registrierung
ist falsch formatiert. Die falsch formatierte Zeichenfolge ist "9716". Das erste
DWORD im Datenbereich enthält den Indexwert für die falsch formatierte Zeichenfolge,
während das zweite und dritte DWORD im Datenbereich die letzten gültigen Indexwerte
enthalten.

Error - 16.07.2012 06:20:55 | Computer Name = Sternchen | Source = Microsoft-Windows-LoadPerf | ID = 3001
Description = Die Namenszeichenfolgenwert für den Leistungsindikator in der Registrierung
ist falsch formatiert. Die falsch formatierte Zeichenfolge ist "9716". Das erste
DWORD im Datenbereich enthält den Indexwert für die falsch formatierte Zeichenfolge,
während das zweite und dritte DWORD im Datenbereich die letzten gültigen Indexwerte
enthalten.

Error - 16.07.2012 08:59:02 | Computer Name = Sternchen | Source = RasClient | ID = 20227
Description =

Error - 16.07.2012 12:17:54 | Computer Name = Sternchen | Source = Bonjour Service | ID = 100
Description = mDNSCoreMachineSleep: mDNS_Lock: Locking failure! mDNS_busy (1) !=
mDNS_reentrancy (0)

Error - 16.07.2012 12:17:54 | Computer Name = Sternchen | Source = Bonjour Service | ID = 100
Description = mDNSCoreMachineSleep: mDNS_Unlock: Locking failure! mDNS_busy (1)
!= mDNS_reentrancy (0)

Error - 17.07.2012 01:48:44 | Computer Name = Sternchen | Source = Bonjour Service | ID = 100
Description = mDNSCoreMachineSleep: mDNS_Lock: Locking failure! mDNS_busy (1) !=
mDNS_reentrancy (0)

Error - 17.07.2012 01:48:44 | Computer Name = Sternchen | Source = Bonjour Service | ID = 100
Description = mDNSCoreMachineSleep: mDNS_Unlock: Locking failure! mDNS_busy (1)
!= mDNS_reentrancy (0)

[ Cisco AnyConnect Secure Mobility Client Events ]
Error - 16.07.2012 06:11:30 | Computer Name = Sternchen | Source = acvpnui | ID = 67108865
Description = Function: ConnectMgr::activateConnectEvent File: .\ConnectMgr.cpp Line:
1020 NULL object. Cannot establish a connection at this time.

Error - 16.07.2012 07:40:53 | Computer Name = Sternchen | Source = acvpnagent | ID = 67108866
Description = Function: Directory::ReadDir File: .\Utility\Directory.cpp Line: 156
Invoked
Function: ::FindNextFile Return Code: 18 (0x00000012) Description: Es sind keine
weiteren Dateien vorhanden.

Error - 16.07.2012 07:40:53 | Computer Name = Sternchen | Source = acvpnagent | ID = 67108866
Description = Function: PluginLoader::QuickCreatePlugin File: c:\temp\build\thehoff\DaVinci_MR10.327428428415\DaVinci_MR1\vpn\Common\Utility/PluginLoader.h
Line:
145 Invoked Function: PluginLoader::CreateInstance Return Code: -29294580 (0xFE41000C)
Description:
PLUGINLOADER_ERROR_COULD_NOT_CREATE

Error - 16.07.2012 07:40:53 | Computer Name = Sternchen | Source = acvpnagent | ID = 67108866
Description = Function: PluginLoader::QuickCreatePlugin File: c:\temp\build\thehoff\DaVinci_MR10.327428428415\DaVinci_MR1\vpn\Common\Utility/PluginLoader.h
Line:
145 Invoked Function: PluginLoader::CreateInstance Return Code: -29294580 (0xFE41000C)
Description:
PLUGINLOADER_ERROR_COULD_NOT_CREATE

Error - 16.07.2012 07:40:53 | Computer Name = Sternchen | Source = acvpnagent | ID = 67108866
Description = Function: PluginLoader::QuickCreatePlugin File: c:\temp\build\thehoff\DaVinci_MR10.327428428415\DaVinci_MR1\vpn\Common\Utility/PluginLoader.h
Line:
145 Invoked Function: PluginLoader::CreateInstance Return Code: -29294580 (0xFE41000C)
Description:
PLUGINLOADER_ERROR_COULD_NOT_CREATE

Error - 16.07.2012 07:41:32 | Computer Name = Sternchen | Source = acvpnui | ID = 67108866
Description = Function: Directory::ReadDir File: .\Utility\Directory.cpp Line: 156
Invoked
Function: ::FindNextFile Return Code: 18 (0x00000012) Description: Es sind keine
weiteren Dateien vorhanden.

Error - 16.07.2012 07:41:32 | Computer Name = Sternchen | Source = acvpnui | ID = 67108866
Description = Function: PluginLoader::QuickCreatePlugin File: c:\temp\build\thehoff\DaVinci_MR10.327428428415\DaVinci_MR1\vpn\Common\Utility/PluginLoader.h
Line:
145 Invoked Function: PluginLoader::CreateInstance Return Code: -29294580 (0xFE41000C)
Description:
PLUGINLOADER_ERROR_COULD_NOT_CREATE

Error - 16.07.2012 07:41:32 | Computer Name = Sternchen | Source = acvpnui | ID = 67108866
Description = Function: PluginLoader::QuickCreatePlugin File: c:\temp\build\thehoff\DaVinci_MR10.327428428415\DaVinci_MR1\vpn\Common\Utility/PluginLoader.h
Line:
145 Invoked Function: PluginLoader::CreateInstance Return Code: -29294580 (0xFE41000C)
Description:
PLUGINLOADER_ERROR_COULD_NOT_CREATE

Error - 16.07.2012 07:41:32 | Computer Name = Sternchen | Source = acvpnui | ID = 67108866
Description = Function: CMainFrame::getDARTInstallDir File: .\mainfrm.cpp Line: 4156
Invoked
Function: MsiEnumProductsExW Return Code: 259 (0x00000103) Description: Es sind keine
Daten mehr verfügbar.

Error - 16.07.2012 07:41:33 | Computer Name = Sternchen | Source = acvpnui | ID = 67108865
Description = Function: ConnectMgr::activateConnectEvent File: .\ConnectMgr.cpp Line:
1020 NULL object. Cannot establish a connection at this time.

[ System Events ]
Error - 16.07.2012 06:11:31 | Computer Name = Sternchen | Source = Service Control Manager | ID = 7031
Description = Der Dienst "Software Protection" wurde unerwartet beendet. Dies ist
bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 120000 Millisekunden
durchgeführt: Neustart des Diensts.

Error - 16.07.2012 06:16:41 | Computer Name = Sternchen | Source = Service Control Manager | ID = 7026
Description = Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
avipbb avkmgr discache SABI spldr ssmdrv Wanarpv6

Error - 16.07.2012 06:16:54 | Computer Name = Sternchen | Source = DCOM | ID = 10005
Description =

Error - 16.07.2012 06:17:00 | Computer Name = Sternchen | Source = DCOM | ID = 10005
Description =

Error - 16.07.2012 06:17:03 | Computer Name = Sternchen | Source = DCOM | ID = 10005
Description =

Error - 16.07.2012 06:17:03 | Computer Name = Sternchen | Source = DCOM | ID = 10005
Description =

Error - 16.07.2012 07:40:16 | Computer Name = Sternchen | Source = DCOM | ID = 10010
Description =

Error - 17.07.2012 01:57:11 | Computer Name = Sternchen | Source = Disk | ID = 262155
Description = Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR2 gefunden.

Error - 17.07.2012 01:57:12 | Computer Name = Sternchen | Source = Disk | ID = 262155
Description = Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR2 gefunden.

Error - 17.07.2012 01:57:12 | Computer Name = Sternchen | Source = Disk | ID = 262155
Description = Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR2 gefunden.


< End of report >


und der Gmer.txt


GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-07-17 12:10:00
Windows 6.1.7601 Service Pack 1
Running: 6znn85l5.exe; Driver: C:\Users\sun\AppData\Local\Temp\awtyapob.sys


---- System - GMER 1.0.15 ----

SSDT 91BE37FE ZwCreateSection
SSDT 91BE3808 ZwRequestWaitReplyPort
SSDT 91BE3803 ZwSetContextThread
SSDT 91BE380D ZwSetSecurityObject
SSDT 91BE3812 ZwSystemDebugControl
SSDT 91BE379F ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwRollbackEnlistment + 1409 82C4C989 1 Byte [06]
.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 82C6C4E2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntoskrnl.exe!KeRemoveQueueEx + 14BF 82C7387C 4 Bytes [FE, 37, BE, 91]
.text ntoskrnl.exe!KeRemoveQueueEx + 181B 82C73BD8 4 Bytes [08, 38, BE, 91]
.text ntoskrnl.exe!KeRemoveQueueEx + 185F 82C73C1C 4 Bytes [03, 38, BE, 91]
.text ntoskrnl.exe!KeRemoveQueueEx + 18DB 82C73C98 4 Bytes [0D, 38, BE, 91]
.text ntoskrnl.exe!KeRemoveQueueEx + 192F 82C73CEC 4 Bytes JMP BE381282
.text ...
? System32\drivers\qepd.sys Das System kann den angegebenen Pfad nicht finden. !

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001fe1f37047
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001fe1f37047@ac81f3007718 0x7C 0xA6 0x88 0x87 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001fe1f37047 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001fe1f37047@ac81f3007718 0x7C 0xA6 0x88 0x87 ...

---- EOF - GMER 1.0.15 ----

und die malwarebyte datei:


Malwarebytes Anti-Malware (Test) 1.62.0.1300
www.malwarebytes.org

Datenbank Version: v2012.07.17.02

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
sun :: STERNCHEN [Administrator]

Schutz: Aktiviert

17.07.2012 12:33:57
mbam-log-2012-07-17 (13-45-01)m

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 309426
Laufzeit: 1 Stunde(n), 8 Minute(n), 13 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Keine Aktion durchgeführt.

Infizierte Registrierungswerte: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Daten: C:\Users\sun\AppData\Local\{0eff2cb0-66a4-c2f5-ecf1-5c11cb76412d}\n. -> Keine Aktion durchgeführt.

Infizierte Dateiobjekte der Registrierung: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bösartig: (1) Gut: (0) -> Keine Aktion durchgeführt.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bösartig: (1) Gut: (0) -> Keine Aktion durchgeführt.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bösartig: (1) Gut: (0) -> Keine Aktion durchgeführt.

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0
(Keine bösartigen Objekte gefunden)

(Ende)