|
Plagegeister aller Art und deren Bekämpfung: Sirefef.AL und Siref.AQWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
06.08.2012, 18:44 | #1 |
| Sirefef.AL und Siref.AQ Microsoft Security Essentials meldet auf meinem Rechner alle 4 Minuten zwei Bedrohungen (siehe oben), die dann immer entfernt wird. Zudem wollte gestern eine Datei vikyrefwaqis.exe ausgeführt werden. Das Ausführen dieser Datei konnte ich mit der Sicherheitsfrage nicht verhindern und beenden; erst nach einigen Minuten und vielen Neins blieb die Meldung in der Taskleiste; ich habe über den Taskmanager den Prozess der Datei beendet; anschließend habe ich die Datei (sie befand sich im Adminprofil) gelöscht. Ich habe wie beschrieben Malwarebytes Anti-Malware laufen lassen; das Ergebnis: Malwarebytes Anti-Malware (Test) 1.62.0.1300 www.malwarebytes.org Datenbank Version: v2012.07.03.05 Windows 7 Service Pack 1 x86 NTFS Internet Explorer 9.0.8112.16421 Admin :: ADMIN-PC [Administrator] Schutz: Aktiviert 06.08.2012 17:12:20 mbam-log-2012-08-06 (17-12-20).txt Art des Suchlaufs: Quick-Scan Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 229503 Laufzeit: 5 Minute(n), 50 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 1 HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Erfolgreich gelöscht und in Quarantäne gestellt. Infizierte Registrierungswerte: 3 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Userinit (Backdoor.Agent) -> Daten: C:\Users\Admin\AppData\Roaming\appconf32.exe -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Daten: C:\Users\Admin\AppData\Local\{c131cda6-abe8-ef6f-f49c-4367e3e7b080}\n. -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Regedit32 (Trojan.Agent) -> Daten: C:\Windows\system32\regedit.exe -> Erfolgreich gelöscht und in Quarantäne gestellt. Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 1 C:\Users\Admin\AppData\Roaming\appconf32.exe (Backdoor.Agent) -> Löschen bei Neustart. (Ende) Ich habe dies dann mit der aktuellen Version "mbam-rules.exe" wiederholt; das Ergebnis: Malwarebytes Anti-Malware (Test) 1.62.0.1300 www.malwarebytes.org Datenbank Version: v2012.08.06.09 Windows 7 Service Pack 1 x86 NTFS Internet Explorer 9.0.8112.16421 Admin :: ADMIN-PC [Administrator] Schutz: Aktiviert 06.08.2012 19:53:34 mbam-log-2012-08-06 (19-53-34).txt Art des Suchlaufs: Quick-Scan Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 215669 Laufzeit: 5 Minute(n), 54 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 4 HKCR\CLSID\{DD31495E-290C-41CF-8C66-7415383F82DE} (Trojan.Banker) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DD31495E-290C-41CF-8C66-7415383F82DE} (Trojan.Banker) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{DD31495E-290C-41CF-8C66-7415383F82DE} (Trojan.Banker) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{DD31495E-290C-41CF-8C66-7415383F82DE} (Trojan.Banker) -> Erfolgreich gelöscht und in Quarantäne gestellt. Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 4 C:\Users\Admin\AppData\Roaming\AcroIEHelpe180.dll (Trojan.Banker) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Users\Admin\AppData\Local\Temp\msimg32.dll (RootKit.0Access) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Users\Admin\AppData\Local\Temp\50648548.exe (Trojan.Phex.THAGen3) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Users\Admin\AppData\Local\Temp\50651855.exe (RootKit.0Access) -> Erfolgreich gelöscht und in Quarantäne gestellt. (Ende) Waren diese Schritte richtig? Was soll ich tun? Geändert von inselino (06.08.2012 um 19:09 Uhr) |
07.08.2012, 19:27 | #2 |
| Sirefef.AL und Siref.AQ Ich habe inzwischen defrogger ausgeführt.
__________________Ergebnis: defogger_disable by jpshortstuff (23.02.10.1) Log created at 19:25 on 07/08/2012 (Admin) Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. Checking for services/drivers... -=E.O.F=- Anschließend OTL: OTL.txt: OTL Logfile: Code:
ATTFilter OTL logfile created on: 07.08.2012 19:29:34 - Run 1 OTL by OldTimer - Version 3.2.56.0 Folder = C:\Users\Admin\Desktop Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,25 Gb Total Physical Memory | 1,78 Gb Available Physical Memory | 54,89% Memory free 6,49 Gb Paging File | 5,03 Gb Available in Paging File | 77,41% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 197,10 Gb Total Space | 90,25 Gb Free Space | 45,79% Space Free | Partition Type: NTFS Drive D: | 596,16 Gb Total Space | 575,81 Gb Free Space | 96,59% Space Free | Partition Type: NTFS Drive E: | 390,28 Gb Total Space | 364,39 Gb Free Space | 93,37% Space Free | Partition Type: NTFS Drive L: | 29,91 Gb Total Space | 24,68 Gb Free Space | 82,51% Space Free | Partition Type: FAT32 Computer Name: ADMIN-PC | User Name: Admin | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012.08.07 15:35:30 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Admin\Desktop\OTL.exe PRC - [2012.07.03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe PRC - [2012.07.03 13:46:44 | 000,462,920 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe PRC - [2012.06.06 21:33:42 | 001,564,872 | ---- | M] (Ask) -- C:\Programme\Ask.com\Updater\Updater.exe PRC - [2012.05.18 11:04:52 | 000,434,168 | ---- | M] (TomTom) -- C:\Programme\MyTomTom 3\MyTomTomSA.exe PRC - [2012.05.15 12:26:00 | 001,262,400 | ---- | M] (NVIDIA Corporation) -- C:\Programme\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe PRC - [2012.05.15 11:28:16 | 001,820,480 | ---- | M] (NVIDIA Corporation) -- C:\Programme\NVIDIA Corporation\Display\nvtray.exe PRC - [2012.05.15 11:27:34 | 000,857,920 | ---- | M] (NVIDIA Corporation) -- C:\Programme\NVIDIA Corporation\Display\nvxdsync.exe PRC - [2012.05.15 02:21:40 | 000,382,272 | ---- | M] (NVIDIA Corporation) -- C:\Programme\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe PRC - [2012.03.26 17:08:12 | 000,931,200 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Security Client\msseces.exe PRC - [2012.03.26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Security Client\MsMpEng.exe PRC - [2012.02.23 12:30:40 | 000,059,240 | ---- | M] (Apple Inc.) -- C:\Programme\Common Files\Apple\Internet Services\ubd.exe PRC - [2012.01.03 15:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe PRC - [2011.06.24 06:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe PRC - [2011.02.25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2010.11.20 14:17:56 | 001,121,792 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe PRC - [2010.11.20 14:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe PRC - [2010.10.27 19:17:52 | 000,207,424 | ---- | M] (ArcSoft Inc.) -- C:\Programme\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe PRC - [2010.08.25 11:27:44 | 000,309,824 | ---- | M] (ArcSoft Inc.) -- C:\Programme\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac PRC - [2010.07.28 17:34:02 | 000,569,752 | ---- | M] (Affinegy, Inc.) -- C:\Programme\Belkin\Router Setup and Monitor\BelkinService.exe PRC - [2010.07.28 17:33:58 | 006,995,864 | ---- | M] (Affinegy, Inc.) -- C:\Programme\Belkin\Router Setup and Monitor\BelkinSetup.exe PRC - [2010.07.28 17:33:58 | 001,485,208 | ---- | M] (Affinegy, Inc.) -- C:\Programme\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe PRC - [2010.04.27 10:21:06 | 001,094,656 | ---- | M] (Belkin International, Inc.) -- C:\Programme\Belkin\Belkin USB Print and Storage Center\Connect.exe PRC - [2010.03.18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Programme\Common Files\ArcSoft\Connection Service\Bin\ACService.exe PRC - [2010.02.17 18:25:12 | 000,152,064 | ---- | M] () -- C:\Programme\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe PRC - [2010.02.09 15:55:52 | 000,049,152 | ---- | M] () -- C:\Programme\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe PRC - [2009.09.12 23:09:10 | 000,103,768 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Citrix\ICA Client\concentr.exe PRC - [2009.09.12 23:09:04 | 000,550,232 | ---- | M] (Citrix Systems, Inc.) -- C:\Programme\Citrix\ICA Client\wfcrun32.exe PRC - [2009.02.26 15:24:50 | 000,097,680 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE PRC - [2008.10.24 17:35:44 | 000,128,296 | ---- | M] () -- C:\Programme\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe PRC - [2008.07.03 11:27:12 | 006,266,880 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe PRC - [2008.04.25 14:23:36 | 000,303,104 | ---- | M] (Fujitsu Siemens Computers) -- C:\Programme\Fujitsu Siemens Computers\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe PRC - [2008.02.26 03:23:34 | 000,443,968 | ---- | M] (Google Inc.) -- C:\Programme\Picasa2\PicasaMediaDetector.exe PRC - [2007.02.08 20:43:14 | 000,095,800 | ---- | M] (OLYMPUS IMAGING CORP.) -- C:\Programme\OLYMPUS\OLYMPUS Master 2\MMonitor.exe ========== Modules (No Company Name) ========== MOD - [2012.05.18 11:04:54 | 000,252,408 | ---- | M] () -- C:\Programme\MyTomTom 3\TomTomSupporterProxy.dll MOD - [2012.05.18 11:04:54 | 000,067,576 | ---- | M] () -- C:\Programme\MyTomTom 3\TomTomSupporterBase.dll MOD - [2012.05.18 11:04:44 | 007,964,160 | ---- | M] () -- C:\Programme\MyTomTom 3\QtGui4.dll MOD - [2012.05.18 11:04:44 | 000,980,480 | ---- | M] () -- C:\Programme\MyTomTom 3\QtNetwork4.dll MOD - [2012.05.18 11:04:44 | 000,019,456 | ---- | M] () -- C:\Programme\MyTomTom 3\DeviceDetection.dll MOD - [2012.05.18 11:04:42 | 002,302,464 | ---- | M] () -- C:\Programme\MyTomTom 3\QtCore4.dll MOD - [2012.05.18 11:04:42 | 000,357,888 | ---- | M] () -- C:\Programme\MyTomTom 3\QtXml4.dll MOD - [2011.06.24 22:56:36 | 000,087,328 | ---- | M] () -- C:\Programme\Common Files\Apple\Apple Application Support\zlib1.dll MOD - [2011.06.24 22:56:14 | 001,241,888 | ---- | M] () -- C:\Programme\Common Files\Apple\Apple Application Support\libxml2.dll MOD - [2010.09.09 20:40:39 | 000,034,816 | ---- | M] () -- C:\Programme\Google\Google Desktop Search\gzlib.dll MOD - [2010.07.28 17:34:04 | 000,022,424 | ---- | M] () -- C:\Programme\Belkin\Router Setup and Monitor\BelkinServicePS.dll MOD - [2010.07.28 17:02:58 | 000,658,432 | ---- | M] () -- C:\Programme\Belkin\Router Setup and Monitor\gateways\GenericBelkinGatewayLOC.dll MOD - [2010.06.23 18:12:28 | 007,187,456 | ---- | M] () -- C:\Programme\Belkin\Router Setup and Monitor\QtGui4.dll MOD - [2010.06.23 18:11:52 | 000,325,632 | ---- | M] () -- C:\Programme\Belkin\Router Setup and Monitor\QtXml4.dll MOD - [2010.06.23 18:11:48 | 001,954,304 | ---- | M] () -- C:\Programme\Belkin\Router Setup and Monitor\QtCore4.dll MOD - [2010.06.23 18:11:48 | 000,847,360 | ---- | M] () -- C:\Programme\Belkin\Router Setup and Monitor\QtNetwork4.dll MOD - [2010.06.23 17:38:18 | 000,119,808 | ---- | M] () -- C:\Programme\Belkin\Router Setup and Monitor\imageformats\qjpeg4.dll MOD - [2010.02.17 18:25:12 | 000,132,096 | ---- | M] () -- C:\Programme\Belkin\Belkin USB Print and Storage Center\BkLocalBackup.dll ========== Win32 Services (SafeList) ========== SRV - [2012.08.02 20:46:47 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2012.07.03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService) SRV - [2012.05.15 12:26:00 | 001,262,400 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Programme\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService) SRV - [2012.05.15 02:21:40 | 000,382,272 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Programme\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service) SRV - [2012.03.26 17:03:40 | 000,214,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Microsoft Security Client\NisSrv.exe -- (NisSrv) SRV - [2012.03.26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc) SRV - [2012.03.10 01:28:00 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc) SRV - [2012.01.03 15:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2011.07.20 05:18:24 | 000,440,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE -- (odserv) SRV - [2010.11.20 14:17:56 | 001,121,792 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc) SRV - [2010.07.28 17:34:02 | 000,569,752 | ---- | M] (Affinegy, Inc.) [Auto | Running] -- C:\Programme\Belkin\Router Setup and Monitor\BelkinService.exe -- (AffinegyService) SRV - [2010.03.18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Programme\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon) SRV - [2010.02.17 18:25:12 | 000,152,064 | ---- | M] () [Auto | Running] -- C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe -- (Belkin Local Backup Service) SRV - [2010.02.09 15:55:52 | 000,049,152 | ---- | M] () [Auto | Running] -- C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe -- (Belkin Network USB Helper) SRV - [2009.07.14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc) SRV - [2009.07.14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2008.10.24 17:35:44 | 000,128,296 | ---- | M] () [Auto | Running] -- C:\Programme\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe -- (AAV UpdateService) SRV - [2008.04.25 14:23:36 | 000,303,104 | ---- | M] (Fujitsu Siemens Computers) [Auto | Running] -- C:\Programme\Fujitsu Siemens Computers\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe -- (TestHandler) SRV - [2006.12.14 17:00:00 | 000,544,768 | ---- | M] (Magix AG) [On_Demand | Stopped] -- C:\Programme\Common Files\MAGIX Shared\UPnPService\UPnPService.exe -- (UPnPService) SRV - [2006.10.26 14:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose) SRV - [2005.11.17 15:18:52 | 001,527,900 | ---- | M] (MAGIX®) [On_Demand | Stopped] -- C:\Programme\MAGIX\Common\Database\bin\fbserver.exe -- (FirebirdServerMAGIXInstance) ========== Driver Services (SafeList) ========== DRV - [2012.08.07 17:44:35 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D1E3A906-7DF1-40AF-94C0-ED026A070F20}\MpKsl0e3ab555.sys -- (MpKsl0e3ab555) DRV - [2012.07.03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector) DRV - [2012.05.15 12:26:00 | 011,354,944 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm) DRV - [2012.03.20 20:44:12 | 000,074,112 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv) DRV - [2010.11.20 12:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV - [2010.11.20 11:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb) DRV - [2010.03.11 22:21:38 | 000,247,320 | ---- | M] (silex technology, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\sxuptp.sys -- (sxuptp) DRV - [2009.09.08 18:13:16 | 000,065,584 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\ctxusbm.sys -- (ctxusbm) DRV - [2008.05.27 13:55:54 | 000,173,576 | ---- | M] (AMD Technologies Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\ahcix86s.sys -- (ahcix86s) DRV - [2008.05.02 13:59:40 | 000,122,368 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169) DRV - [2008.04.03 14:58:46 | 000,076,688 | ---- | M] (JMicron Technology Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\jraid.sys -- (JRAID) DRV - [2007.11.08 01:52:10 | 000,057,328 | ---- | M] (Sonic Solutions) [File_System | Disabled | Stopped] -- C:\Windows\System32\drivers\RxFilter.sys -- (RxFilter) DRV - [2004.04.26 23:31:04 | 000,474,304 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lvcd.sys -- (QCDonner) DRV - [2001.10.23 01:00:00 | 000,059,520 | ---- | M] (AVM Berlin) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\avmport.sys -- (AVMPORT) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com/ig/redirectdomain?brand=FUJD&bmod=FUJD IE - HKLM\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7FUJC IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60747 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/ IE - HKCU\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask) IE - HKCU\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\..\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}: "URL" = hxxp://www.crawler.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=60747 IE - HKCU\..\SearchScopes\{429639AE-7D1D-47CB-B5DA-5A4FE67C4306}: "URL" = hxxp://search.gmx.com/web?q={searchTerms}&origin=tb_splugin_ie IE - HKCU\..\SearchScopes\{63313F0F-6203-43FC-848A-65B447E2DA37}: "URL" = hxxp://dict.leo.org/ende?lp=ende&lang=de&searchLoc=0&cmpType=relaxed§Hdr=on&spellToler=on&chinese=both&pinyin=diacritic&search={searchTerms}&relink=on IE - HKCU\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7FUJE_deDE392 IE - HKCU\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = hxxp://127.0.0.1:4664/search&s=YW2OSfIrQErb8wuLQBEDuJZn0A8?q={searchTerms} IE - HKCU\..\SearchScopes\{7DBBA5CB-DA01-4528-8407-7CD2263D7066}: "URL" = hxxp://go.1und1.de/tb/ie_searchplugin/?su={searchTerms} IE - HKCU\..\SearchScopes\{C2975353-2A07-4580-8902-B97E345C4556}: "URL" = hxxp://go.web.de/tb/ie_searchplugin/?su={searchTerms} IE - HKCU\..\SearchScopes\{F2CE7EF5-F9EE-4EF5-9B00-938475A1ACFE}: "URL" = hxxp://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000027&src=kw&q={searchTerms}&locale=de_DE&apn_ptnrs=U3&apn_dtid=OSJ000YYDE&apn_uid=4F2C617B-7474-4BA4-ABF7-B99407CC27A5&apn_sauid=AA7CD1D8-7B0B-4334-909F-B3988120732D IE - HKCU\..\SearchScopes\{F6E9F91F-FCA8-43FD-8CBA-A23FE110943A}: "URL" = hxxp://go.gmx.net/tb/ie_searchplugin/?su={searchTerms} IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_270.dll () FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google) FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Picasa2\npPicasa3.dll (Google, Inc.) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.) FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation) FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKCU\Software\MozillaPlugins\@www.flatcast.com/FlatViewer 5.2: C:\PROGRA~1\MOZILL~1\plugins\NpFv530.dll (1 mal 1 Software GmbH) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\ProgramData\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2011.03.15 17:55:10 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 10.0\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012.06.19 17:44:03 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 10.0\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2012.05.27 23:17:20 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 10.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012.06.19 17:44:03 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 10.0.1\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2012.05.27 23:17:20 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 10.0.2\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012.06.19 17:44:03 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 10.0.2\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2012.05.27 23:17:20 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 11.0\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012.06.19 17:44:03 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 11.0\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2012.05.27 23:17:20 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 11.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012.06.19 17:44:03 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 11.0.1\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2012.05.27 23:17:20 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 12.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012.06.19 17:44:03 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 12.0.1\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2012.05.27 23:17:20 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 13.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012.06.19 17:44:03 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2012.05.27 23:17:20 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 14.0\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012.06.19 17:44:03 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 14.0\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2012.05.27 23:17:20 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 5.0\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012.06.19 17:44:03 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 5.0\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2012.05.27 23:17:20 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 6.0\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012.06.19 17:44:03 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 6.0\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2012.05.27 23:17:20 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 6.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012.06.19 17:44:03 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 6.0.1\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2012.05.27 23:17:20 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 6.0.2\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012.06.19 17:44:03 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 6.0.2\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2012.05.27 23:17:20 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 7.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012.06.19 17:44:03 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 7.0.1\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2012.05.27 23:17:20 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 8.0\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012.06.19 17:44:03 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 8.0\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2012.05.27 23:17:20 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 9.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012.06.19 17:44:03 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2012.05.27 23:17:20 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Firefox\extensions\\{184AA5E6-741D-464a-820E-94B3ABC2F3B4}: C:\Users\Admin\AppData\Roaming\5041 [2012.07.20 18:24:07 | 000,000,000 | ---D | M] [2010.09.16 22:19:53 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Admin\AppData\Roaming\mozilla\Extensions [2010.09.16 22:19:53 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Admin\AppData\Roaming\mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6} [2012.04.27 16:35:41 | 000,574,660 | ---- | M] () (No name found) -- C:\USERS\ADMIN\APPDATA\ROAMING\THUNDERBIRD\PROFILES\3E29AJ4B.DEFAULT\EXTENSIONS\TBTESTPILOT@LABS.MOZILLA.COM.XPI O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (no name) - {0124123D-61B4-456f-AF86-78C53A0790C5} - No CLSID value found. O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O2 - BHO: (WEB.DE Toolbar BHO) - {BF42D4A8-016E-4fcd-B1EB-837659FD77C6} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH) O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask) O3 - HKLM\..\Toolbar: (no name) - {0124123D-61B4-456f-AF86-78C53A0790C5} - No CLSID value found. O3 - HKLM\..\Toolbar: (WEB.DE Toolbar) - {C424171E-592A-415a-9EB1-DFD6D95D3530} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH) O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask) O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (WEB.DE Toolbar) - {C424171E-592A-415A-9EB1-DFD6D95D3530} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH) O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask) O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe (Ask) O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.) O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Programme\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.) O4 - HKLM..\Run: [AVM] C:\AVM_Tmp\setup.exe (AVM) O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.) O4 - HKLM..\Run: [Google EULA Launcher] c:\Program Files\Google\Google EULA\GoogleEULALauncher.exe ( ) O4 - HKLM..\Run: [InstaLAN] C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe (Affinegy, Inc.) O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation) O4 - HKLM..\Run: [Nikon Message Center 2] C:\Program Files\Nikon\Nikon Message Center 2\NkMC2.exe (Nikon Corporation) O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) O4 - HKCU..\Run: [MobileDocuments] C:\Programme\Common Files\Apple\Internet Services\ubd.exe (Apple Inc.) O4 - HKCU..\Run: [MyTomTomSA.exe] C:\Programme\MyTomTom 3\MyTomTomSA.exe (TomTom) O4 - HKCU..\Run: [OM2_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe (OLYMPUS IMAGING CORP.) O4 - HKCU..\Run: [Picasa Media Detector] C:\Programme\Picasa2\PicasaMediaDetector.exe (Google Inc.) O4 - HKCU..\Run: [vikyrefwaqis] C:\Users\Admin\vikyrefwaqis.exe File not found O4 - Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 91 00 00 00 [binary data] O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.) O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.) O13 - gopher Prefix: missing O15 - HKCU\..Trusted Domains: localhost ([]http in Lokales Intranet) O15 - HKCU\..Trusted Domains: stadt-frankfurt.de ([portal] https in Vertrauenswürdige Sites) O16 - DPF: {888078C6-70B2-4F88-8EE7-1F50DDEA6120} https://as.photoprintit.de/ips-opdata/activex/ImageUploader6.cab (CeWe Color AG & Co. OHG Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} hxxp://www.lofer.at/activex/AxisCamControl.ocx (CamImage Class) O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F561} hxxp://download.flatcast.net/objects/NpFv530.dll (Flatcast Viewer 5.3) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E0E945D5-889A-4A73-9470-7F0C27864C20}: DhcpNameServer = 192.168.2.1 O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O18 - Protocol\Handler\webde {8FAF0273-9CA8-4efc-9536-1E35E254D5CD} - C:\Programme\WEB.DE Toolbar\IE\uitb.dll (1und1 Mail und Media GmbH) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GO36F4~1.DLL) - C:\Programme\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O24 - Desktop WallPaper: O24 - Desktop BackupWallPaper: O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2012.08.07 19:28:19 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\Admin\Desktop\OTL.exe [2012.08.06 17:11:51 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Roaming\Malwarebytes [2012.08.06 17:11:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2012.08.06 17:11:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2012.08.06 17:11:18 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2012.08.06 17:11:18 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2012.08.04 16:07:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype [2012.07.28 16:15:48 | 000,000,000 | ---D | C] -- C:\xmldm [2012.07.23 15:41:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation [2012.07.23 15:37:23 | 000,000,000 | ---D | C] -- C:\NVIDIA [2012.07.23 14:23:30 | 000,000,000 | ---D | C] -- C:\Program Files\Steganos Online-Banking 2011 [2012.07.23 14:16:57 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Roaming\Steganos [2012.07.20 18:24:07 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Roaming\5041 [2012.07.20 15:19:15 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA Corporation [2012.07.20 15:19:11 | 000,000,000 | ---D | C] -- C:\Program Files\NVIDIA Corporation [2012.07.20 15:18:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight [2012.07.20 15:18:14 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight [2012.07.19 18:24:05 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Roaming\UAs [2012.07.19 13:51:33 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Roaming\xmldm [2012.07.19 13:51:33 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Roaming\kock [1 C:\Users\Admin\AppData\Roaming\*.tmp files -> C:\Users\Admin\AppData\Roaming\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2012.08.07 19:28:32 | 000,698,748 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2012.08.07 19:28:32 | 000,654,066 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2012.08.07 19:28:32 | 000,148,944 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2012.08.07 19:28:32 | 000,121,898 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2012.08.07 19:25:32 | 000,000,000 | ---- | M] () -- C:\Users\Admin\defogger_reenable [2012.08.07 18:59:19 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2012.08.07 18:34:20 | 000,001,096 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2012.08.07 17:51:42 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2012.08.07 17:51:42 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2012.08.07 17:44:45 | 000,001,092 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2012.08.07 17:44:21 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.08.07 17:44:18 | 2616,647,680 | -HS- | M] () -- C:\hiberfil.sys [2012.08.07 15:35:30 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Admin\Desktop\OTL.exe [2012.08.07 13:47:04 | 000,050,477 | ---- | M] () -- C:\Users\Admin\Desktop\Defogger.exe [2012.08.06 17:11:26 | 000,001,073 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.08.06 04:54:17 | 000,000,017 | ---- | M] () -- C:\Users\Admin\AppData\Roaming\blckdom.res [2012.08.04 16:07:30 | 000,002,503 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk [2012.08.01 23:37:57 | 000,006,400 | ---- | M] () -- C:\Users\Admin\AppData\Roaming\BAcroIEHelpe180.dll [2012.07.23 15:30:12 | 000,000,038 | ---- | M] () -- C:\Users\Admin\AppData\Roaming\urhtps.dat [2012.07.23 14:30:44 | 000,010,240 | ---- | M] () -- C:\Users\Admin\Documents\Meine Konten.stb [2012.07.19 08:30:45 | 000,383,904 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [1 C:\Users\Admin\AppData\Roaming\*.tmp files -> C:\Users\Admin\AppData\Roaming\*.tmp -> ] ========== Files Created - No Company Name ========== [2012.08.07 19:25:32 | 000,000,000 | ---- | C] () -- C:\Users\Admin\defogger_reenable [2012.08.07 19:24:54 | 000,050,477 | ---- | C] () -- C:\Users\Admin\Desktop\Defogger.exe [2012.08.06 17:11:26 | 000,001,073 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.08.05 21:57:15 | 000,001,712 | ---- | C] () -- C:\Users\Admin\AppData\Local\{c131cda6-abe8-ef6f-f49c-4367e3e7b080}\U\00000001.@ [2012.08.01 23:37:57 | 000,006,400 | ---- | C] () -- C:\Users\Admin\AppData\Roaming\BAcroIEHelpe180.dll [2012.07.30 19:15:15 | 000,032,768 | ---- | C] () -- C:\Windows\System32\drivers\sp_rsdrv2.sys [2012.07.23 14:25:26 | 000,010,240 | ---- | C] () -- C:\Users\Admin\Documents\Meine Konten.stb [2012.07.20 19:33:13 | 000,000,017 | ---- | C] () -- C:\Users\Admin\AppData\Roaming\blckdom.res [2012.07.20 11:56:45 | 000,000,038 | ---- | C] () -- C:\Users\Admin\AppData\Roaming\urhtps.dat [2012.05.15 02:21:50 | 000,423,744 | ---- | C] () -- C:\Windows\System32\nvStreaming.exe [2012.01.11 15:33:48 | 000,002,048 | -HS- | C] () -- C:\Users\Admin\AppData\Local\{c131cda6-abe8-ef6f-f49c-4367e3e7b080}\@ [2011.12.31 16:08:13 | 000,000,032 | ---- | C] () -- C:\Users\Admin\.simfy [2011.12.01 17:10:12 | 000,024,084 | ---- | C] () -- C:\Users\Admin\AppData\Roaming\UserTile.png [2011.08.07 12:38:05 | 000,000,268 | RH-- | C] () -- C:\ProgramData\Clips [2011.08.07 12:38:05 | 000,000,268 | RH-- | C] () -- C:\ProgramData\Clean Electric Guitar [2011.08.07 12:38:05 | 000,000,268 | RH-- | C] () -- C:\ProgramData\Classical [2011.08.07 12:38:05 | 000,000,268 | RH-- | C] () -- C:\Users\Admin\AppData\Roaming\Chorus [2011.08.07 12:38:05 | 000,000,268 | RH-- | C] () -- C:\Users\Admin\AppData\Roaming\Chiller [2011.08.07 12:38:05 | 000,000,268 | RH-- | C] () -- C:\Users\Admin\AppData\Roaming\Channel [2011.08.07 12:38:05 | 000,000,020 | -H-- | C] () -- C:\ProgramData\PKP_DLev.DAT [2011.08.07 12:38:05 | 000,000,020 | -H-- | C] () -- C:\ProgramData\PKP_DLet.DAT [2011.08.07 12:38:05 | 000,000,020 | -H-- | C] () -- C:\ProgramData\PKP_DLes.DAT [2011.06.10 16:21:52 | 000,000,017 | ---- | C] () -- C:\Users\Admin\AppData\Local\resmon.resmoncfg [2011.06.10 06:34:52 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll [2011.06.05 11:30:43 | 000,003,584 | ---- | C] () -- C:\Users\Admin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2011.05.24 14:53:14 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat [2011.02.20 16:40:27 | 000,000,209 | ---- | C] () -- C:\Windows\ODBCINST.INI [2011.02.01 14:06:45 | 000,000,000 | ---- | C] () -- C:\Users\Admin\AppData\Local\rx_image32.Cache [2011.01.17 18:25:26 | 000,096,580 | ---- | C] () -- C:\Users\Admin\AppData\Roaming\mdbu.bin [2010.08.16 19:16:24 | 000,000,400 | ---- | C] () -- C:\Windows\ODBC.INI [2010.08.11 00:35:00 | 000,021,532 | ---- | C] () -- C:\Windows\System32\emptyregdb.dat ========== LOP Check ========== [2011.12.19 23:54:59 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\1&1 Mail & Media GmbH [2012.07.20 18:24:07 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\5041 [2011.05.22 19:53:11 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Citrix [2010.11.11 19:58:40 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\dreamload [2010.12.03 12:40:08 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\fotobuch.de AG [2011.05.22 20:23:03 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\ICAClient [2011.08.10 11:32:59 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Juniper Networks [2012.07.19 13:51:33 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\kock [2010.08.11 00:31:22 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\MAGIX [2011.05.22 19:53:11 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Netscape [2011.08.07 20:17:51 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Nikon [2011.04.07 18:22:15 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\ProtectDISC [2011.06.09 21:09:59 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Simfy [2008.10.04 13:12:24 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\SmartSurfer [2012.07.23 15:28:29 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Steganos [2010.08.11 00:31:24 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Teledat USB 2 ab [2010.09.16 22:19:53 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Thunderbird [2012.07.19 18:28:20 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\UAs [2010.08.11 00:31:24 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\WEBDE [2012.08.05 22:28:16 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\xmldm [2012.05.17 07:03:22 | 000,032,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== < End of report > Extra.txt: OTL Logfile: Code:
ATTFilter OTL Extras logfile created on: 07.08.2012 19:29:34 - Run 1 OTL by OldTimer - Version 3.2.56.0 Folder = C:\Users\Admin\Desktop Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,25 Gb Total Physical Memory | 1,78 Gb Available Physical Memory | 54,89% Memory free 6,49 Gb Paging File | 5,03 Gb Available in Paging File | 77,41% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 197,10 Gb Total Space | 90,25 Gb Free Space | 45,79% Space Free | Partition Type: NTFS Drive D: | 596,16 Gb Total Space | 575,81 Gb Free Space | 96,59% Space Free | Partition Type: NTFS Drive E: | 390,28 Gb Total Space | 364,39 Gb Free Space | 93,37% Space Free | Partition Type: NTFS Drive L: | 29,91 Gb Total Space | 24,68 Gb Free Space | 82,51% Space Free | Partition Type: FAT32 Computer Name: ADMIN-PC | User Name: Admin | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation) .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation) [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = ChromeHTML] -- Reg Error: Key error. File not found ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "VistaSp1" = Reg Error: Unknown registry data type -- File not found "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\fotobuch.de\Designer 2.0\Designer.exe" = C:\Program Files\fotobuch.de\Designer 2.0\Designer.exe:*:Designer.exe ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{0AB3F092-9582-411F-B78E-45C65E0DFC89}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{11312787-16C6-4E6A-9BD7-55357C105C85}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | "{1EFBED7B-9C35-4A9E-A125-24EA1555C929}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{217A9BF7-7494-4583-9FED-4CEED2E92C31}" = lport=10243 | protocol=6 | dir=in | app=system | "{310365A4-BB98-4565-B4E1-D9F63D8E2852}" = lport=138 | protocol=17 | dir=in | app=system | "{3271CA37-FC37-4A5E-AB3A-04B02D42FCF3}" = lport=0 | protocol=6 | dir=in | name=magix upnp media server | "{351B2FB8-ADB9-413E-8847-6698C2D66FA5}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | "{3FF5BB11-0C09-48FA-87B3-99EF31EC0AD2}" = rport=10243 | protocol=6 | dir=out | app=system | "{41E848F4-77EB-4E1F-8C70-C4916091E256}" = lport=1900 | protocol=17 | dir=in | name=microsoft upnp-port (udp) | "{4FE49479-F871-47C5-AEDB-2E3101362B9A}" = rport=139 | protocol=6 | dir=out | app=system | "{52E93F77-1448-45D2-8A15-E79F375CF116}" = lport=137 | protocol=17 | dir=in | app=system | "{5686D109-DDEC-41AB-A7A2-5DDB5700821D}" = lport=445 | protocol=6 | dir=in | app=system | "{67C7CF74-3E3B-46F3-B3CF-3B2DC99F9D8C}" = rport=445 | protocol=6 | dir=out | app=system | "{6934C96A-6836-4A48-A6E9-EAFABC16788A}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{6C198F2E-E1DF-4A50-B0A3-74B17593848A}" = rport=138 | protocol=17 | dir=out | app=system | "{71F54821-3589-4CB4-8357-AF35D9C8A3D3}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{7E3DDB5A-2C1A-434E-A907-97F619D998F9}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{8172A309-1955-4786-8E2F-07D2A0214E21}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{97989A95-B666-48B5-8179-880F2B66755A}" = lport=139 | protocol=6 | dir=in | app=system | "{A88BD16C-5FD9-42B2-B66F-7D75C10C8E33}" = rport=137 | protocol=17 | dir=out | app=system | "{ACDFEBE6-667A-4734-BD0A-4CD3004F5344}" = lport=2869 | protocol=6 | dir=in | name=microsoft upnp-port (tcp) | "{C20F7862-7C54-42B3-8B35-23016F99EF12}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=c:\windows\system32\svchost.exe | "{DD2136F8-1509-4C63-ABAA-D19421947B66}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | "{E5986CE3-151D-4DBA-97FF-3B3AEDE9C19F}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | "{F4660868-4FC7-4BFE-89B1-D0DE9F5DB7E3}" = lport=19540 | protocol=17 | dir=in | name=sxuptp | "{F4AC675C-5468-4281-A31E-A6A88D9E0814}" = lport=2869 | protocol=6 | dir=in | app=system | "{FDD5909B-7C10-4FB5-AC74-9AE5669E8563}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | "{FE0A7B00-29A9-44CD-8E15-E594CF604259}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{040DFCD6-AEEA-43F0-A4E7-05B9ADB594F2}" = dir=in | app=c:\program files\skype\phone\skype.exe | "{160804D3-CA38-4590-96AD-716D1B16738F}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | "{186154D7-F388-42EC-A32F-F339D9E9DD1A}" = protocol=17 | dir=in | app=c:\program files\belkin\router setup and monitor\belkinsetup.exe | "{31EB7D55-71B5-4AE3-982E-2F266BF5050B}" = dir=in | app=c:\program files\belkin\belkin usb print and storage center\connect.exe | "{3AF390DB-4DF5-47CD-93EE-674805CAF8E9}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | "{3C259609-DEEA-488F-A823-F48131DBC9AB}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | "{3DC417BC-C8DC-4E0C-9AB8-F30CD58A462D}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | "{46C800A1-88A9-4425-9E96-BD6DE98AD11C}" = dir=in | app=c:\program files\belkin\router setup and monitor\belkinsetup.exe | "{4D177F2B-492D-43D0-ABCF-68D85D769809}" = protocol=6 | dir=in | app=c:\program files\belkin\router setup and monitor\belkinsetup.exe | "{5324AF40-4B29-4C7F-BD61-2527CF24E5B7}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{5DF38728-8285-4665-9DEE-282E6CF50774}" = dir=in | app=c:\program files\itunes\itunes.exe | "{65B785A6-0A14-4A7B-872C-80FE1BF534F2}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | "{677AB402-A84F-484F-A5F7-6862B334BB1E}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | "{6FE3B200-4BD0-479F-965E-19C4E0FFD441}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | "{71948648-56C9-4417-9D2C-194CEC19FA06}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | "{723898FA-05E9-4BE6-968F-5BC281EE8DF2}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{761125D2-4553-421C-986D-F971444D27D0}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe | "{77F5E8A2-65D8-4838-BEC7-F29079069ADF}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | "{7ACB3E13-BF21-4A49-A96A-CE56ED231960}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{8A9E9ACE-DF25-4104-B6A4-EDC23405A622}" = protocol=17 | dir=in | app=c:\program files\common files\magix shared\upnpservice\upnpservice.exe | "{99B6D483-FE6C-4555-9BE5-709F3B5AD764}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | "{A202D98F-D19F-4C83-BF6E-D035AE28D71F}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{A805E979-C39F-445B-B634-9D8C00CA2A95}" = protocol=17 | dir=in | app=c:\program files\belkin\router setup and monitor\belkinsetup.exe | "{B7E225CD-6485-44B6-B728-461C9784EAA1}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{C575F1E4-AFD5-4445-BEB8-2C0FBEC82708}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | "{CB7A052F-4767-461E-BEA6-ED51723E6E50}" = protocol=6 | dir=in | app=c:\program files\common files\magix shared\upnpservice\upnpservice.exe | "{CD6CC5DE-6FF3-4F37-B081-17ACBB73E483}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | "{D3F379E8-EB56-4C3C-8B3F-733F7E0A183D}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | "{DCE61FDD-9F45-49F2-A855-02AEE54B6CBF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{DD13EDD0-6FA2-45C3-817E-C7FDE5926A9E}" = protocol=6 | dir=out | app=system | "{E0B136B1-5B74-47F3-A1F1-0DAE2494B109}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | "{F1D4064B-5A2F-43EB-A729-621AE1B0332F}" = protocol=6 | dir=in | app=c:\program files\belkin\router setup and monitor\belkinsetup.exe | "{F4AAB6D1-BD41-43F1-B024-C49C43A28F79}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | "TCP Query User{0B3E8645-B7F0-4C5F-909C-28D37C41C00D}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe | "TCP Query User{1C005333-DB8F-4B31-B37D-4308ABD348CE}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe | "TCP Query User{92E670FC-138C-4D8B-B725-1D1156F5FEA9}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe | "TCP Query User{A49E0D77-A26A-488A-A88C-FCA0E40E92D9}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe | "TCP Query User{F9023D93-2900-4B94-903C-4224F6DC4F14}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe | "UDP Query User{042A61E2-9550-473F-BDDE-C0A195B72352}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe | "UDP Query User{173128E3-4344-42B5-9934-A0884975E8D4}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe | "UDP Query User{23A9C88C-C6CB-4DDA-9F03-D6BB75125694}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe | "UDP Query User{E06683E6-3C48-4FB6-A31A-2FCD115B7E2E}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe | "UDP Query User{FDD753EC-4844-4DD3-9847-877974E24855}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}" = Notifier "{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Central Data "{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended "{0BCA9EFD-F2D6-4638-B053-8693BA0404BE}" = Citrix Online Plug-in (Web) "{0E64B098-8018-4256-BA23-C316A43AD9B0}" = QuickTime "{0F842B77-56EA-4AAF-8295-81A022350B5E}" = Microsoft Security Client "{0FCEE1FB-C48F-421C-B4C1-B952F1B67617}" = Actio multimedial "{122ADF8C-DDA1-480C-9936-C88F2825B265}" = Apple Application Support "{1280E900-35DA-4E08-A700-B79A5B2B8532}" = Microsoft Antimalware Service DE-DE Language Pack "{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer "{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Central Tools "{20EFD980-3787-11D5-B64E-00C04F790F76}" = MovieShaker 3.1 für MICROMV "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer "{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31 "{2934DCB0-F8EE-11E0-A4A5-B8AC6F97B88E}" = Google Earth Plug-in "{2CCBABCB-6427-4A55-B091-49864623C43F}" = Google Toolbar for Firefox "{2F926AE7-9FB7-4B34-906F-9C29A6D146A7}" = SystemDiagnostics "{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager "{36E15666-43C1-91A7-0281-498F9D383B2C}" = simfy "{38441BE7-79B0-42B8-8297-833704F949FE}" = HLPIndex "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile "{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}" = OTtBPSDK "{4281435C-AD1D-4C8A-B9C0-3961C11EF142}_is1" = YouTube Song Downloader "{4412F224-3849-4461-A3E9-DEEF8D252790}" = Visual Studio C++ 10.0 Runtime "{469730CC-78DF-4CD3-B286-562D459EA619}" = ESSCAM "{48C82F7A-F100-4DAB-A310-8E18BF2159E1}" = ESSvpot "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{4F677FC7-7AA8-412B-A957-F13CBE1C7331}" = ESSSONIC "{50779A29-834E-4E36-BBEB-B7CABC67A825}" = Microsoft Security Client DE-DE Language Pack "{55392E52-1AAD-44C4-BE49-258FFE72434F}" = Citrix Online Plug-in (USB) "{58FBBDAA-EAD1-423C-B743-6D562DF29AC0}" = Shell Routenplaner "{5A06423A-210C-49FB-950E-CB0EB8C5CEC7}" = Roxio BackOnTrack "{60B2315F-680F-4EB3-B8DD-CCDC86A7CCAB}" = Roxio File Backup "{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr "{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3 "{69BD6399-3D8F-45B7-81D9-819361F5101D}" = PCDLNCH "{6AD9F5F3-5BD0-4000-BD9C-B536CF86D988}" = iTunes "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable "{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK "{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Central Audio "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 "{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour "{79AE264A-7DEA-49AF-AFAF-7A2D8F706F51}" = Roxio WinOnCD LE 10 "{812424AC-A8B5-44E6-8D48-07E939D1AD9A}" = Citrix Online Plug-in (HDX) "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable "{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar "{87441A59-5E64-4096-A170-14EFE67200C3}" = Picture Control Utility "{87843A41-7808-4F2E-B13F-25C1E67CF2FD}" = ESShelp "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8BB4B58A-A402-4DE8-8FCD-287E60B88DD8}" = ESSCT "{8DD94CA3-BCD2-49C0-B537-F3B5D95FF0C8}" = HLPSFO "{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini "{8F1ADE4D-EFAC-4F5A-B346-23C2687FAF50}" = Apple Mobile Device Support "{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007 "{90120000-0016-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007 "{90120000-0018-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007 "{90120000-001B-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007 "{90120000-001F-0407-0000-0000000FF1CE}_HOMESTUDENTR_{928D7B99-2BEA-49F9-83B8-20FA57860643}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) "{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007 "{90120000-001F-0410-0000-0000000FF1CE}_HOMESTUDENTR_{A23BFC95-4A73-410F-9248-4C2B48E38C49}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) "{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007 "{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007 "{90120000-006E-0407-0000-0000000FF1CE}_HOMESTUDENTR_{A6353E8F-5B8D-47CC-8737-DFF032ED3973}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007 "{90120000-00A1-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In "{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007 "{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3) "{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui "{926BD0E8-24A3-41D2-AF9B-340F1A37ED12}" = MobileMe Control Panel "{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 "{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}" = ESScore "{9F5FD796-86F0-4360-85F8-D54C0F5411EB}" = Steuer-Spar-Erklärung 2011 "{A0AF08BA-3630-4505-BFB2-A41F3837B0D0}" = SFR2 "{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}" = ESSvpaht "{A6F18A67-B771-4191-8A33-36D2E742D6D9}" = ESSANUP "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5 "{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.3) - Deutsch "{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK "{B014EE44-9197-4513-9613-71E6EB1B514E}" = Nikon Message Center 2 "{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision" = NVIDIA 3D Vision Treiber 301.42 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Systemsteuerung 301.42 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Grafiktreiber 301.42 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB" = NVIDIA 3D Vision Controller-Treiber 301.42 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX-Systemsoftware 9.12.0213 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.8.15 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components "{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Central Copy "{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call "{B82157D3-6D31-4650-93B4-FC39BB08D6CE}" = AAVUpdateManager "{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}" = KSU "{C354C9B6-A4E0-4BB0-A368-6DC6BCA0E314}" = SFR "{C6579A65-9CAE-4B31-8B6B-3306E0630A66}" = Apple Software Update "{C779648B-410E-4BBA-B75B-5815BCEFE71D}" = Safari "{C911A0C2-2236-3164-AA47-F2566C01AE5E}" = Microsoft .NET Framework 4 Extended DEU Language Pack "{CB49B376-1136-44B4-83FA-036334B59937}" = OLYMPUS Master 2 "{CC4BBCBA-89F6-47C3-9B0F-5CE5BB1C316C}" = WEB.DE Toolbar MSVC100 CRT x86 "{CF53CF7C-D996-43EB-9904-DBED57C25625}" = Citrix Online Plug-in (DV) "{D15E9DB5-6BEB-4534-901E-80C0A29BAB97}" = ESSAdpt "{D1E7142C-6BC3-49EB-A71A-E5D7ADAC7599}" = Nikon File Uploader 2 "{D8E1DFEE-622B-46BA-AEFF-AB7E541C0B21}" = Steuer-Spar-Erklärung 2010 "{DA7DF8E2-4B8F-4286-97FE-DE3FFFE9B728}" = iCloud "{DA909E62-3B45-4BA1-8B58-FCAEBA4BCEC9}" = NVIDIA PhysX "{DBEA1034-5882-4A88-8033-81C4EF0CFA29}" = Google Toolbar for Internet Explorer "{DDD62492-32A7-412B-8AF1-2CF032AD42E3}" = ViewNX 2 "{DE59762A-BBDC-4DE2-B3BD-6AA1D47ECD66}" = EPAFactory Endpoint Analysis Plugin 4.5.5.5 For HF4 "{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Central Core "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver "{F18046C5-1C4E-4BE1-A3D6-A6F970E2E8E8}" = ArcSoft Panorama Maker 5 "{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5 "{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}" = OTtBP "{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR "{FEDE2483-87B7-44C1-A5BB-D75AEB8B6340}" = ESSEMAIL "1&1 Mail & Media GmbH 1und1Softwareaktualisierung" = WEB.DE Softwareaktualisierung "1&1 Mail & Media GmbH Toolbar IE8" = WEB.DE Toolbar für Internet Explorer "Adobe AIR" = Adobe AIR "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin "ALDI Sued Fotoservice_is1" = Aldi Sued Fotoservice 2.7 "AVM" = Teledat USB 2 a/b "AVM ISDN CAPI Port" = ISDN CAPI Port "Belkin Setup and Router Monitor_is1" = Belkin Setup and Router Monitor "Belkin USB Print and Storage Center" = Belkin USB Print and Storage Center "CitrixOnlinePluginPackWeb" = Citrix Online Plug-in - Web "Data Access Objects (DAO)" = Data Access Objects (DAO) 3.0 "D-Fend Reloaded" = D-Fend Reloaded 1.1.0 (deinstallieren) "Firebird SQL Server D" = Firebird SQL Server - MAGIX Edition "Google Desktop" = Google Desktop "HOMESTUDENTR" = Microsoft Office Home and Student 2007 "HP-Color LaserJet 2600n" = Color LaserJet 2600n "KLiteCodecPack_is1" = K-Lite Codec Pack 6.0.4 (Basic) "lgx4.lgx.server" = G DATA Logox4 Speechengine "Lidl-Fotos_is1" = Lidl-Fotos "MAGIX Foto Manager 2008 D" = MAGIX Foto Manager 2008 5.0.3.351 (D) "MAGIX Fotobuch" = MAGIX Fotobuch 3.6 "MAGIX Media Suite D" = MAGIX Media Suite 1.12.0.89 (D) "MAGIX Music Manager 2007 D" = MAGIX Music Manager 2007 8.2.0.76 (D) "MAGIX Online Druck Service D" = MAGIX Online Druck Service 2.3.2.0 (D) "MAGIX Ringtone Maker SE D" = MAGIX Ringtone Maker SE 3.1.0.4 (D) "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.62.0.1300 "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended "Microsoft .NET Framework 4 Extended DEU Language Pack" = Microsoft .NET Framework 4 Extended DEU Language Pack "Microsoft Security Client" = Microsoft Security Essentials "Mozilla Thunderbird 14.0 (x86 de)" = Mozilla Thunderbird 14.0 (x86 de) "MyTomTom" = MyTomTom 3.2.0.700 "NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver "PhotoRecall Deluxe" = PhotoRecall Deluxe "Picasa 3" = Picasa 3 "PIXO RESCUE_is1" = PIXO RESCUE Version 1.0 "RealProducer 8.5" = RealProducer Basic 8.5 "Simfy" = simfy "TeledatKonf" = Teledat USB 2 a/b Konfiguration "ZMBV" = Zip Motion Block Video codec (Remove Only) ========== HKEY_CURRENT_USER Uninstall List ========== [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{79A765E1-C399-405B-85AF-466F52E918B0}" = Ask Toolbar Updater ========== Last 20 Event Log Errors ========== [ Application Events ] Error - 16.03.2012 13:57:55 | Computer Name = Admin-PC | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: m->NextScheduledSPRetry 4010 Error - 16.03.2012 13:57:56 | Computer Name = Admin-PC | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: Continuously busy for more than a second Error - 16.03.2012 13:57:56 | Computer Name = Admin-PC | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: m->NextScheduledEvent 5008 Error - 16.03.2012 13:57:56 | Computer Name = Admin-PC | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: m->NextScheduledSPRetry 5008 Error - 16.03.2012 13:57:57 | Computer Name = Admin-PC | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: Continuously busy for more than a second Error - 16.03.2012 13:57:57 | Computer Name = Admin-PC | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: m->NextScheduledEvent 6006 Error - 16.03.2012 13:57:57 | Computer Name = Admin-PC | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: m->NextScheduledSPRetry 6006 Error - 16.03.2012 13:57:58 | Computer Name = Admin-PC | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: Continuously busy for more than a second Error - 16.03.2012 13:57:58 | Computer Name = Admin-PC | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: m->NextScheduledEvent 7005 Error - 16.03.2012 13:57:58 | Computer Name = Admin-PC | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: m->NextScheduledSPRetry 7005 [ OSession Events ] Error - 14.12.2010 09:12:12 | Computer Name = Admin-PC | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 32 seconds with 0 seconds of active time. This session ended with a crash. [ System Events ] Error - 29.06.2012 10:20:10 | Computer Name = Admin-PC | Source = Disk | ID = 262155 Description = Der Treiber hat einen Controllerfehler auf \Device\Harddisk7\DR8 gefunden. Error - 29.06.2012 10:20:11 | Computer Name = Admin-PC | Source = Disk | ID = 262155 Description = Der Treiber hat einen Controllerfehler auf \Device\Harddisk7\DR8 gefunden. Error - 29.06.2012 10:20:11 | Computer Name = Admin-PC | Source = Disk | ID = 262155 Description = Der Treiber hat einen Controllerfehler auf \Device\Harddisk7\DR8 gefunden. Error - 29.07.2012 16:15:56 | Computer Name = Admin-PC | Source = Service Control Manager | ID = 7011 Description = Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung von Dienst lmhosts erreicht. Error - 02.08.2012 08:19:14 | Computer Name = Admin-PC | Source = DCOM | ID = 10010 Description = Error - 06.08.2012 11:08:48 | Computer Name = Admin-PC | Source = Microsoft Antimalware | ID = 2001 Description = Beim Aktualisieren der Signaturen wurde von %%860 ein Fehler festgestellt. Neue Signaturversion: Vorherige Signaturversion: 1.131.1433.0 Aktualisierungsquelle: %%859 Aktualisierungsphase: %%852 Quellpfad: hxxp://www.microsoft.com Signaturtyp: %%800 Aktualisierungstyp: %%803 Benutzer: NT-AUTORITÄT\SYSTEM Aktuelle Modulversion: Vorherige Modulversion: 1.1.8601.0 Fehlercode: 0x8024402c Fehlerbeschreibung: Unerwartetes Problem bei der Überprüfung auf Updates. Informationen zum Installieren von Updates oder zur Problembehandlung finden Sie unter "Hilfe und Support". Error - 06.08.2012 14:00:01 | Computer Name = Admin-PC | Source = Microsoft Antimalware | ID = 2001 Description = Beim Aktualisieren der Signaturen wurde von %%860 ein Fehler festgestellt. Neue Signaturversion: Vorherige Signaturversion: 1.131.1433.0 Aktualisierungsquelle: %%859 Aktualisierungsphase: %%852 Quellpfad: hxxp://www.microsoft.com Signaturtyp: %%800 Aktualisierungstyp: %%803 Benutzer: NT-AUTORITÄT\SYSTEM Aktuelle Modulversion: Vorherige Modulversion: 1.1.8601.0 Fehlercode: 0x8024402c Fehlerbeschreibung: Unerwartetes Problem bei der Überprüfung auf Updates. Informationen zum Installieren von Updates oder zur Problembehandlung finden Sie unter "Hilfe und Support". Error - 06.08.2012 14:14:48 | Computer Name = Admin-PC | Source = Microsoft Antimalware | ID = 2001 Description = Beim Aktualisieren der Signaturen wurde von %%860 ein Fehler festgestellt. Neue Signaturversion: Vorherige Signaturversion: 1.131.1433.0 Aktualisierungsquelle: %%859 Aktualisierungsphase: %%852 Quellpfad: hxxp://www.microsoft.com Signaturtyp: %%800 Aktualisierungstyp: %%803 Benutzer: NT-AUTORITÄT\SYSTEM Aktuelle Modulversion: Vorherige Modulversion: 1.1.8601.0 Fehlercode: 0x8024402c Fehlerbeschreibung: Unerwartetes Problem bei der Überprüfung auf Updates. Informationen zum Installieren von Updates oder zur Problembehandlung finden Sie unter "Hilfe und Support". Error - 06.08.2012 15:39:35 | Computer Name = Admin-PC | Source = Microsoft Antimalware | ID = 2001 Description = Beim Aktualisieren der Signaturen wurde von %%860 ein Fehler festgestellt. Neue Signaturversion: Vorherige Signaturversion: 1.131.1433.0 Aktualisierungsquelle: %%859 Aktualisierungsphase: %%852 Quellpfad: hxxp://www.microsoft.com Signaturtyp: %%800 Aktualisierungstyp: %%803 Benutzer: NT-AUTORITÄT\SYSTEM Aktuelle Modulversion: Vorherige Modulversion: 1.1.8601.0 Fehlercode: 0x8024402c Fehlerbeschreibung: Unerwartetes Problem bei der Überprüfung auf Updates. Informationen zum Installieren von Updates oder zur Problembehandlung finden Sie unter "Hilfe und Support". Error - 07.08.2012 11:54:34 | Computer Name = Admin-PC | Source = Microsoft Antimalware | ID = 2001 Description = Beim Aktualisieren der Signaturen wurde von %%860 ein Fehler festgestellt. Neue Signaturversion: Vorherige Signaturversion: 1.131.1433.0 Aktualisierungsquelle: %%859 Aktualisierungsphase: %%852 Quellpfad: hxxp://www.microsoft.com Signaturtyp: %%800 Aktualisierungstyp: %%803 Benutzer: NT-AUTORITÄT\SYSTEM Aktuelle Modulversion: Vorherige Modulversion: 1.1.8601.0 Fehlercode: 0x8024402c Fehlerbeschreibung: Unerwartetes Problem bei der Überprüfung auf Updates. Informationen zum Installieren von Updates oder zur Problembehandlung finden Sie unter "Hilfe und Support". < End of report > [ /code] Anschließend GMER ausgeführt; folgende Fehlermeldung: w6..(gmer) funktioniert nicht mehr Das Programm wird aufgrund eines Problems nicht richtig ausgeführt. Das Programm wird geschlossen und Sie werden benachrichtigt, wenn eine Lösung verfügbar ist. Ich habe GMER heute nochmals im abgesicherten Modus laufen lassen: gleiches Ergebnis. Ergänzend kann ich noch schreiben, dass in der untersten Zeile steht: \Device\HardiskVolumeShadowCopy1 |
24.08.2012, 18:58 | #3 |
/// Helfer-Team | Sirefef.AL und Siref.AQSchlechte Nachrichten! Trojan.Banker RootKit.0Access Du hast mehr als eine schwere Infektion auf Deinem Rechner. http://www.trojaner-board.de/56634-rootkits.html Er ist kompromittiert und ist nicht mehr vertrauenswuerdig. Du solletest von einem sauberen System aus alle deine Passwoerter aendern. Ich empfehle dir dringendst den PC vom Netz zu trennen und neu aufzusetzen. Anleitungen zum Neuaufsetzen (bebildert) > Windows 7 neu aufsetzen > Vista > XP 1. Datenrettung:
2. Formatieren, Windows neu instalieren:
3. PC absichern: http://www.trojaner-board.de/96344-a...-rechners.html ich werde außerdem noch weitere punkte dazu posten. 4. alle Passwörter ändern! 5. nach PC Absicherung, die gesicherten Daten prüfen und falls sauber: zurückspielen.
__________________ |
Themen zu Sirefef.AL und Siref.AQ |
acroiehelpe180.dll, ausgeführt, beenden, beendet, blieb, datei, entfernt, essen, gelöscht, gen, gestern, konnte, melde, meldet, meldung, microsoft, minute, minuten, msimg32.dll, profil, prozess, rechner, schließe, security, taskleiste, taskmanager, trojan.phex.thagen, trojan.phex.thagen3, verhindern |