| |
| |||||||
Log-Analyse und Auswertung: GVU-Trojaner (Variation von 2.07 da Bild minimal abweicht)Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
29.08.2012, 13:58
| #1 |
| |  GVU-Trojaner (Variation von 2.07 da Bild minimal abweicht) Hallo zusammen, ich habe mir eben auf meinem tower den gvu trojaner eingefangen und versucht mit der kaspersky rescue disk 10 bzw windows unlocker zu entfernen. jedeoch finde ich die beiden zu suchenden (hxxp://blog.botfrei.de/2012/03/anlei...ws-xp-vista-7/) schluessel nicht im K-editor und auch der windowsunlocker-terminal-screen zeigt keine "restore to explorer.exe" meldungen an. da mir nun klar wurde, dass ich eine andere version des trojaners "besitze" (2.07 nehme ich an), wollte ich hier fragen ob mir bei der loesung dieses problems jemand behilflich sein kann? gruesse Nachtrag: Es scheint nicht genau der 2.07 zu sein, das es kleinere Abweichungen zu dem Bild gibt auf hxxp://bka-trojaner.de/ Nachtrag II: Anbei die Otl.txt & extras.txt |
|
29.08.2012, 14:03
| #2 |
| /// Malware-holic   | GVU-Trojaner (Variation von 2.07 da Bild minimal abweicht) hi
__________________dieses script sowie evtl. folgende scripts sind nur für den jeweiligen user. wenn ihr probleme habt, eröffnet eigene topics und wartet auf, für euch angepasste scripts. • Starte bitte die OTL.exe • Kopiere nun das Folgende in die Textbox. Code:
ATTFilter :OTL
O20 - HKU\S-1-5-21-72721436-1853332672-4045996675-1001 Winlogon: Shell - (D:\Users\DenDe\AppData\Roaming\msconfig.dat) - D:\Users\DenDe\AppData\Roaming\msconfig.dat ()
:Files
D:\Users\DenDe\AppData\Roaming\msconfig.dat
:Commands
[Reboot]
• Schliesse bitte nun alle Programme. • Klicke nun bitte auf den Fix Button. • OTL kann gegebenfalls einen Neustart verlangen. Bitte dies zulassen. • Nach dem Neustart findest Du ein Textdokument, dessen inhalt in deiner nächsten antwort hier reinkopieren. starte in den normalen modus. falls du keine symbole hast, dann rechtsklick, ansicht, desktop symbole einblenden Hinweis: Die Datei bitte wie in der Anleitung zum UpChannel angegeben auch da hochladen. Bitte NICHT die ZIP-Datei hier als Anhang in den Thread posten! Drücke bitte die  + E Taste.
 für eine weitere analyse benötige ich mal folgendes. D:\Users\name\AppData\LocalLow\Sun\Java\Deployment\cache (bei dir könnte es auf evtl. auf c: sein) dort rechtsklick auf den ordner cache, diesen mit winrar oder einem anderen programm packen, und im upload channel hochladen bitte Trojaner-Board Upload Channel wenn dies erledigt ist, bittemelden.
__________________ |
|
29.08.2012, 15:38
| #3 |
| | GVU-Trojaner (Variation von 2.07 da Bild minimal abweicht) Hey vielen Dank fuer deine schnelle Hilfe
__________________also, ich hab den Fix per OTL im abgesicherten Modus mit eingabeaufforderung. (explorer.exe gestartet) ausfuehren koennen. in den anderen modi wurde der bildschirm geleich gesperrt. nach dem reboot konnte ich den normalem modus und das infizierte profil wieder ohne probleme starten. jedoch habe ich keine neue Textdatei auf dem Desktop vorfinden koennen. ich habe nun einfach nochmal einen OTL scan durchlaufen lassen, und hoffe dass du diese dateien meinst. OTL.txt OTL Logfile: Code:
ATTFilter OTL logfile created on: 29.08.2012 16:26:09 - Run 2 OTL by OldTimer - Version 3.2.59.1 Folder = D:\Users\DenDe\Desktop 64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 8,00 Gb Total Physical Memory | 6,39 Gb Available Physical Memory | 79,84% Memory free 12,00 Gb Paging File | 10,24 Gb Available in Paging File | 85,36% Paging File free Paging file location(s): d:\pagefile.sys 4096 4096 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 51,35 Gb Total Space | 29,23 Gb Free Space | 56,92% Space Free | Partition Type: NTFS Drive D: | 931,51 Gb Total Space | 756,83 Gb Free Space | 81,25% Space Free | Partition Type: NTFS Drive E: | 97,66 Gb Total Space | 59,92 Gb Free Space | 61,36% Space Free | Partition Type: NTFS Drive F: | 148,91 Gb Total Space | 57,72 Gb Free Space | 38,76% Space Free | Partition Type: NTFS Drive G: | 259,27 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS Drive K: | 2,36 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: CDFS Computer Name: ZWECKFORMERPC2 | User Name: Zweckformer | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012.08.29 14:16:04 | 000,598,528 | ---- | M] (OldTimer Tools) -- D:\Users\DenDe\Desktop\OTL.exe PRC - [2012.07.27 22:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe PRC - [2011.09.22 12:03:30 | 000,974,944 | ---- | M] (ESET) -- E:\Apps\ESET\ESET NOD32 Antivirus\x86\ekrn.exe ========== Modules (No Company Name) ========== MOD - [2012.05.30 20:06:48 | 000,087,912 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll MOD - [2012.05.30 20:06:30 | 001,242,512 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll ========== Services (SafeList) ========== SRV:64bit: - [2012.04.06 04:16:02 | 000,236,544 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility) SRV:64bit: - [2009.07.14 03:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt) SRV - [2012.08.22 19:52:44 | 000,529,744 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service) SRV - [2012.08.19 20:50:37 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2012.07.27 22:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2012.07.14 02:13:54 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2011.09.22 12:03:30 | 000,974,944 | ---- | M] (ESET) [Auto | Running] -- E:\Apps\ESET\ESET NOD32 Antivirus\x86\ekrn.exe -- (ekrn) SRV - [2010.03.18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2009.06.10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) ========== Driver Services (SafeList) ========== DRV:64bit: - [2012.06.29 23:38:01 | 000,283,200 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\dtsoftbus01.sys -- (dtsoftbus01) DRV:64bit: - [2012.04.25 12:11:36 | 000,052,736 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64) DRV:64bit: - [2012.04.06 07:22:40 | 011,174,400 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag) DRV:64bit: - [2012.04.06 03:10:44 | 000,343,040 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap) DRV:64bit: - [2012.03.01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:64bit: - [2012.02.23 14:32:04 | 000,095,760 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService) DRV:64bit: - [2011.08.09 14:24:52 | 000,202,576 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\eamonm.sys -- (eamonm) DRV:64bit: - [2011.08.04 09:20:38 | 000,146,432 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\ehdrv.sys -- (ehdrv) DRV:64bit: - [2011.08.04 09:20:38 | 000,137,144 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\epfwwfpr.sys -- (epfwwfpr) DRV:64bit: - [2011.03.11 08:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2011.03.11 08:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2010.11.21 05:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:64bit: - [2010.11.21 05:23:48 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc) DRV:64bit: - [2010.11.21 05:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2010.11.21 05:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD) DRV:64bit: - [2010.06.09 22:41:13 | 000,123,840 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AnyDVD.sys -- (AnyDVD) DRV:64bit: - [2010.01.01 19:20:28 | 000,034,472 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\ElbyCDIO.sys -- (ElbyCDIO) DRV:64bit: - [2009.07.14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009.07.14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009.07.14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009.06.10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009.06.10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009.06.10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:64bit: - [2009.06.10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV:64bit: - [2009.05.18 13:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM) DRV - [2010.06.09 22:41:13 | 000,123,840 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysWOW64\drivers\AnyDVD.sys -- (AnyDVD) DRV - [2010.03.31 00:00:00 | 000,026,752 | ---- | M] () [Kernel | On_Demand | Stopped] -- E:\Apps\EVEREST Ultimate Edition\kerneld.amd64 -- (EverestDriver) DRV - [2009.07.14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-72721436-1853332672-4045996675-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp IE - HKU\S-1-5-21-72721436-1853332672-4045996675-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE IE - HKU\S-1-5-21-72721436-1853332672-4045996675-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 62 8E E2 FF 8B 66 CD 01 [binary data] IE - HKU\S-1-5-21-72721436-1853332672-4045996675-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKU\S-1-5-21-72721436-1853332672-4045996675-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKU\S-1-5-21-72721436-1853332672-4045996675-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-72721436-1853332672-4045996675-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - user.js - File not found FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_271.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.6.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_271.dll () FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: E:\Apps\Itunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@idsoftware.com/QuakeLive: C:\ProgramData\id Software\QuakeLive\npquakezero.dll (id Software Inc.) FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.6.2: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.6.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: E:\Apps\VLC\npvlc.dll (VideoLAN) FF - HKLM\Software\MozillaPlugins\Adobe Reader: E:\Apps\AReaderX\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: D:\Users\DenDe\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.) FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: D:\Users\DenDe\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.) FF - HKCU\Software\MozillaPlugins\ubisoft.com/uplaypc: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll (Ubisoft) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: E:\Apps\Mozilla\components [2012.07.20 21:15:56 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: E:\Apps\Mozilla\plugins [2012.08.20 15:46:54 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: E:\Apps\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2012.08.23 10:10:03 | 000,000,000 | ---D | M] [2012.07.20 21:16:16 | 000,000,000 | ---D | M] (No name found) -- D:\Users\DenDe\AppData\Roaming\mozilla\Extensions [2012.08.26 19:31:11 | 000,000,000 | ---D | M] (No name found) -- D:\Users\DenDe\AppData\Roaming\mozilla\Firefox\Profiles\b4uoubp3.default\extensions [2012.07.20 21:34:28 | 000,000,000 | ---D | M] (Forecastfox) -- D:\Users\DenDe\AppData\Roaming\mozilla\Firefox\Profiles\b4uoubp3.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3} ========== Chrome ========== CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms} CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer CHR - plugin: Native Client (Enabled) = D:\Users\DenDe\AppData\Local\Google\Chrome\Application\21.0.1180.79\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = D:\Users\DenDe\AppData\Local\Google\Chrome\Application\21.0.1180.79\pdf.dll CHR - plugin: Shockwave Flash (Enabled) = D:\Users\DenDe\AppData\Local\Google\Chrome\Application\21.0.1180.79\gcswf32.dll CHR - plugin: Adobe Acrobat (Enabled) = E:\Apps\AReaderX\Reader\Browser\nppdf32.dll CHR - plugin: Java(TM) Platform SE 7 U5 (Enabled) = C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll CHR - plugin: Java Deployment Toolkit 7.0.50.255 (Enabled) = C:\Windows\SysWOW64\npDeployJava1.dll CHR - plugin: Uplay PC (Enabled) = C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll CHR - plugin: Google Update (Enabled) = D:\Users\DenDe\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll CHR - plugin: iTunes Application Detector (Enabled) = E:\Apps\Itunes\Mozilla Plugins\npitunes.dll CHR - plugin: VLC Web Plugin (Enabled) = E:\Apps\VLC\npvlc.dll O1 HOSTS File: ([2009.06.10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O4:64bit: - HKLM..\Run: [egui] E:\Apps\ESET\ESET NOD32 Antivirus\egui.exe (ESET) O4 - HKLM..\Run: [AMD AVT] C:\Windows\SysWow64\cmd.exe (Microsoft Corporation) O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.) O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation) O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation) O4 - HKU\S-1-5-21-72721436-1853332672-4045996675-1001..\Run: [DAEMON Tools Lite] E:\Apps\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd) O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.) O1364bit: - gopher Prefix: missing O13 - gopher Prefix: missing O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 217.0.43.129 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9B73333B-BFD8-4059-B583-C92A5566532E}: DhcpNameServer = 217.0.43.129 192.168.0.1 O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O20 - HKU\S-1-5-21-72721436-1853332672-4045996675-1001 Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009.12.19 18:34:54 | 002,830,336 | ---- | M] () - H:\autorun.exe -- [ FAT32 ] O32 - AutoRun File - [2009.12.21 22:48:04 | 000,000,000 | ---D | M] - H:\AutoPlay -- [ FAT32 ] O32 - AutoRun File - [2009.12.19 18:34:54 | 000,000,046 | ---- | M] () - H:\autorun.inf -- [ FAT32 ] O32 - AutoRun File - [2009.12.14 22:58:24 | 000,003,562 | ---- | M] () - H:\Autounattend.xml -- [ FAT32 ] O32 - AutoRun File - [2012.08.16 19:43:24 | 000,000,058 | R--- | M] () - K:\Autorun.inf -- [ CDFS ] O33 - MountPoints2\{8f7eab56-bc40-11e1-9592-0023ae616502}\Shell - "" = AutoRun O33 - MountPoints2\{8f7eab56-bc40-11e1-9592-0023ae616502}\Shell\AutoRun\command - "" = K:\Setup.exe -- [2012.08.16 19:43:24 | 001,112,066 | R--- | M] (Microsoft Games Studios ) O33 - MountPoints2\K\Shell - "" = AutoRun O33 - MountPoints2\K\Shell\AutoRun\command - "" = K:\Setup.exe -- [2012.08.16 19:43:24 | 001,112,066 | R--- | M] (Microsoft Games Studios ) O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2012.08.29 14:42:48 | 000,598,528 | ---- | C] (OldTimer Tools) -- D:\Users\DenDe\Desktop\OTL.exe [2012.08.29 13:51:01 | 000,000,000 | -HSD | C] -- C:\found.000 [2012.08.23 10:27:20 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java [2012.08.23 10:27:14 | 000,246,760 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaws.exe [2012.08.23 10:27:10 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe [2012.08.23 10:27:10 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe [2012.08.23 10:27:10 | 000,095,208 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll [2012.08.23 10:27:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Java [2012.08.23 10:09:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET [2012.08.23 10:01:31 | 000,000,000 | ---D | C] -- C:\ProgramData\ESET [2012.08.20 23:27:11 | 000,000,000 | ---D | C] -- D:\Users\DenDe\AppData\Local\Darksiders2 [2012.08.20 21:10:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\THQ [2012.08.19 23:38:03 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll [2012.08.19 23:38:02 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll [2012.08.19 23:38:02 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll [2012.08.19 23:38:02 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll [2012.08.19 23:38:01 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll [2012.08.19 23:38:01 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll [2012.08.19 23:38:01 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe [2012.08.19 23:38:01 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe [2012.08.19 23:38:00 | 002,312,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll [2012.08.19 23:38:00 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl [2012.08.19 23:38:00 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl [2012.08.19 23:37:59 | 000,816,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll [2012.08.19 23:37:59 | 000,717,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll [2012.08.19 23:22:36 | 000,000,000 | ---D | C] -- C:\Games [2012.08.19 23:22:29 | 000,000,000 | ---D | C] -- D:\Users\DenDe\AppData\Local\Package Cache [2012.08.19 20:54:58 | 000,503,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\srcore.dll [2012.08.19 20:54:55 | 000,751,104 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\win32spl.dll [2012.08.19 20:54:55 | 000,492,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\win32spl.dll [2012.08.19 20:54:55 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\splwow64.exe [2012.08.19 20:54:54 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\netapi32.dll [2012.08.19 20:54:54 | 000,059,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\browcli.dll [2012.08.19 20:54:54 | 000,041,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\browcli.dll [2012.08.19 20:54:52 | 000,956,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\localspl.dll [2012.08.13 18:42:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kalypso [2012.08.13 18:36:58 | 000,000,000 | ---D | C] -- C:\ProgramData\RELOADED [2012.08.12 15:41:43 | 000,000,000 | ---D | C] -- D:\Users\DenDe\Documents\Wizards of the Coast [2012.08.11 12:42:23 | 000,000,000 | ---D | C] -- D:\Users\DenDe\AppData\Roaming\RotMG.Production [2012.08.08 11:20:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavalys [2012.08.07 21:49:00 | 000,000,000 | ---D | C] -- D:\Users\DenDe\AppData\Local\Adobe [2012.08.06 20:39:26 | 000,000,000 | ---D | C] -- D:\Users\DenDe\AppData\Roaming\Natural Selection 2 [2012.08.04 23:23:18 | 000,000,000 | ---D | C] -- D:\Users\DenDe\AppData\Roaming\HackSlashLoot [2012.08.03 20:22:33 | 000,000,000 | ---D | C] -- D:\Users\DenDe\Documents\LOLReplay [2012.08.02 00:11:49 | 000,000,000 | ---D | C] -- D:\Users\DenDe\Documents\Shiner ========== Files - Modified Within 30 Days ========== [2012.08.29 16:24:06 | 000,021,696 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2012.08.29 16:24:06 | 000,021,696 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2012.08.29 16:21:10 | 001,498,506 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2012.08.29 16:21:10 | 000,653,928 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2012.08.29 16:21:10 | 000,615,810 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2012.08.29 16:21:10 | 000,129,800 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2012.08.29 16:21:10 | 000,106,190 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2012.08.29 16:18:44 | 000,001,132 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-72721436-1853332672-4045996675-1001UA.job [2012.08.29 16:16:32 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.08.29 16:16:25 | 2145,636,351 | -HS- | M] () -- C:\hiberfil.sys [2012.08.29 14:23:12 | 000,000,045 | ---- | M] () -- D:\Users\DenDe\AppData\Roaming\msconfig.ini [2012.08.29 14:16:04 | 000,598,528 | ---- | M] (OldTimer Tools) -- D:\Users\DenDe\Desktop\OTL.exe [2012.08.29 13:50:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2012.08.24 02:17:00 | 000,001,080 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-72721436-1853332672-4045996675-1001Core.job [2012.08.23 10:27:06 | 000,746,984 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\deployJava1.dll [2012.08.23 10:27:06 | 000,246,760 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\javaws.exe [2012.08.23 10:27:06 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe [2012.08.23 10:27:06 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe [2012.08.23 10:27:06 | 000,095,208 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll [2012.08.21 20:39:27 | 001,034,216 | ---- | M] (Oracle Corporation) -- C:\Windows\SysNative\npDeployJava1.dll [2012.08.21 20:39:27 | 000,916,456 | ---- | M] (Oracle Corporation) -- C:\Windows\SysNative\deployJava1.dll [2012.08.20 08:59:41 | 000,274,464 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT [2012.08.19 20:50:37 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe [2012.08.19 20:50:37 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl [2012.08.03 20:30:17 | 014,958,983 | ---- | M] () -- D:\Users\DenDe\Desktop\Let's Build Exchange.zip [2012.08.01 21:25:21 | 000,065,078 | ---- | M] () -- D:\Users\DenDe\Desktop\196209-10150980578639752-1018513593-n.jpg ========== Files Created - No Company Name ========== [2012.08.29 11:46:32 | 000,000,045 | ---- | C] () -- D:\Users\DenDe\AppData\Roaming\msconfig.ini [2012.08.03 20:29:32 | 014,958,983 | ---- | C] () -- D:\Users\DenDe\Desktop\Let's Build Exchange.zip [2012.08.01 21:25:20 | 000,065,078 | ---- | C] () -- D:\Users\DenDe\Desktop\196209-10150980578639752-1018513593-n.jpg [2012.07.19 17:45:15 | 000,000,040 | -HS- | C] () -- C:\ProgramData\.zreglib [2012.06.21 15:10:00 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin [2012.04.06 03:29:34 | 000,204,952 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat [2012.04.06 03:29:34 | 000,157,144 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat [2012.03.09 14:06:14 | 000,024,576 | ---- | C] () -- C:\Windows\SysWow64\kdbsdk32.dll [2011.09.13 00:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat ========== LOP Check ========== [2012.08.03 20:31:52 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\.minecraft [2012.06.26 20:11:07 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\.minecraft - Kopie [2012.07.17 19:49:09 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\.mono [2012.06.22 11:24:45 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\Ashampoo [2012.07.04 18:08:26 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\DAEMON Tools Lite [2012.07.11 09:37:42 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\digital publishing [2012.06.21 15:51:24 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\DisplayFusion [2012.08.04 23:23:18 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\HackSlashLoot [2012.07.11 17:44:07 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\Hod_Uninstall [2012.07.11 17:44:10 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\HulkOnDesk [2012.06.21 18:33:43 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\LolClient [2012.06.21 23:34:27 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\LolClient2 [2012.08.06 20:39:32 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\Natural Selection 2 [2012.07.02 16:19:45 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\Notepad++ [2012.06.21 21:52:57 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\QIP [2012.08.11 12:42:23 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\RotMG.Production [2012.07.12 22:36:58 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\six-updater [2012.07.12 20:52:26 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\six-zsync [2012.07.07 13:27:59 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\Ubisoft [2012.07.17 19:32:03 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\Unity [2012.07.28 13:35:39 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\Wargaming.net [2012.07.04 15:55:33 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\WindSolutions [2012.07.30 17:19:49 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\WorldPainter [2009.07.14 07:08:49 | 000,017,890 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== < End of report > extras.txt OTL Logfile: Code:
ATTFilter OTL Extras logfile created on: 29.08.2012 16:26:09 - Run 2
OTL by OldTimer - Version 3.2.59.1 Folder = D:\Users\DenDe\Desktop
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
8,00 Gb Total Physical Memory | 6,39 Gb Available Physical Memory | 79,84% Memory free
12,00 Gb Paging File | 10,24 Gb Available in Paging File | 85,36% Paging File free
Paging file location(s): d:\pagefile.sys 4096 4096 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 51,35 Gb Total Space | 29,23 Gb Free Space | 56,92% Space Free | Partition Type: NTFS
Drive D: | 931,51 Gb Total Space | 756,83 Gb Free Space | 81,25% Space Free | Partition Type: NTFS
Drive E: | 97,66 Gb Total Space | 59,92 Gb Free Space | 61,36% Space Free | Partition Type: NTFS
Drive F: | 148,91 Gb Total Space | 57,72 Gb Free Space | 38,76% Space Free | Partition Type: NTFS
Drive G: | 259,27 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
Drive K: | 2,36 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: CDFS
Computer Name: ZWECKFORMERPC2 | User Name: Zweckformer | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
[HKEY_USERS\S-1-5-21-72721436-1853332672-4045996675-1001\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- E:\Apps\Mozilla\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "E:\Apps\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [Browse with &IrfanView] -- "E:\Apps\IrfanView\i_view32.exe" "%1 /thumbs" (Irfan Skiljan)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "E:\Apps\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "E:\Apps\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "E:\Apps\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "E:\Apps\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "E:\Apps\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [Browse with &IrfanView] -- "E:\Apps\IrfanView\i_view32.exe" "%1 /thumbs" (Irfan Skiljan)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "E:\Apps\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "E:\Apps\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "E:\Apps\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "E:\Apps\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0E7380A1-585A-4756-B2DC-151F81FBF26A}" = protocol=17 | dir=in | app=e:\games\steam\steam.exe |
"{1AC0BE05-8095-406D-8C8A-59AF8B59779C}" = protocol=17 | dir=in | app=e:\games\steam\steamapps\common\dota 2 beta\dota.exe |
"{1CD440AC-1607-41CB-8499-414AE44468C1}" = protocol=6 | dir=in | app=d:\games\steam\steamapps\common\natural selection 2\launchpad.exe |
"{1F6B604C-FDF4-46E2-A9ED-BE85D95B3672}" = protocol=6 | dir=in | app=f:\games\anno2070\autopatcher.exe |
"{294A71A2-1F42-4044-BF26-FE6D215D843C}" = protocol=6 | dir=in | app=e:\games\steam\steamapps\common\cubemen\cubemen.exe |
"{2C6B8612-0DEF-4D47-ADE1-0E293810ACF6}" = protocol=6 | dir=in | app=d:\games\steam\steamapps\common\serious sam 3\bin\sam3_unrestricted.exe |
"{2CC8A2E0-5F0D-4E86-BC3D-FDC264129EAE}" = protocol=6 | dir=in | app=e:\games\steam\steam.exe |
"{323C0BB4-4793-48EB-91C9-287DB6D5A60C}" = protocol=6 | dir=in | app=e:\games\steam\steamapps\common\arma 2 operation arrowhead\arma2oa.exe |
"{3A9D4E4F-4FA7-451C-BA3D-BE697F5FA072}" = protocol=17 | dir=in | app=e:\games\steam\steamapps\common\natural selection 2\launchpad.exe |
"{3AF1A23E-DEC2-4126-9BB1-201CA4BE021F}" = protocol=6 | dir=in | app=f:\games\anno2070\initengine.exe |
"{4377E818-ECCB-402F-8B6B-636FD79DC271}" = protocol=17 | dir=in | app=f:\games\anno2070\initengine.exe |
"{4856FDBA-5CAE-422A-80EF-E7C134D948E8}" = protocol=17 | dir=in | app=e:\games\steam\steamapps\common\arma 2 operation arrowhead\besetup\setup_battleyearma2oa.exe |
"{498516AC-C52B-4270-BF33-4E7FF21FB178}" = protocol=17 | dir=in | app=e:\games\steam\steamapps\common\cubemen\cubemen.exe |
"{4B11BB18-449F-4C96-A2AB-F99FFEADD232}" = protocol=6 | dir=in | app=d:\games\steam\steamapps\common\arma 2 operation arrowhead\arma2oa.exe |
"{54AF3664-091A-4912-A486-5E71BBC31F84}" = dir=in | app=e:\apps\itunes\itunes.exe |
"{5594A3D6-1400-44D8-A4FA-6A29EE18AB9E}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{5C0C98FB-C5B8-4642-8575-308754D9C835}" = dir=in | app=c:\program files (x86)\common files\apple\apple application support\webkit2webprocess.exe |
"{621050FF-3A02-4913-86BC-55E04E052FBF}" = protocol=17 | dir=in | app=e:\games\steam\steamapps\common\hackslashloot\hackslashloot.exe |
"{636B5AE4-25C2-4AAB-862B-7F8F3C5F406C}" = protocol=6 | dir=in | app=e:\games\steam\steamapps\common\natural selection 2\ns2.exe |
"{6501D285-1500-4A94-8BB3-8C6F08671C3F}" = protocol=17 | dir=in | app=e:\games\steam\steamapps\common\arma 2 operation arrowhead\arma2oa.exe |
"{68859ECA-9960-432D-86DB-9FBD61339078}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{6D10FBD4-C539-4595-80B3-C6A9C0470EBE}" = protocol=17 | dir=in | app=d:\games\steam\steamapps\common\arma 2 operation arrowhead\arma2oa.exe |
"{6E490EE5-7597-4BEE-AF9B-2CAB541F666A}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\ubisoft game launcher\ubisoftgamelauncher.exe |
"{6E71E6D0-F1EB-40EF-99DD-14213F022583}" = protocol=17 | dir=in | app=e:\games\steam\steamapps\common\arma 2\arma2.exe |
"{6E943433-168B-4D11-82E7-E23401360D13}" = protocol=17 | dir=in | app=f:\games\anno2070\autopatcher.exe |
"{6EA9CC33-9D1A-4F25-BEFE-86971796D7AA}" = protocol=6 | dir=in | app=e:\games\steam\steamapps\common\arma 2 operation arrowhead\_runa2co.cmd |
"{6F634D46-1BF3-441A-B150-4B07E5ADC806}" = protocol=17 | dir=in | app=f:\games\anno2070\anno5.exe |
"{713B1214-ED28-4268-ABB0-1FD5A6F9B22A}" = protocol=6 | dir=in | app=d:\games\steam\steamapps\common\arma 2 operation arrowhead\besetup\setup_battleyearma2oa.exe |
"{77F81067-28C9-4A32-ABEE-84894457C057}" = protocol=6 | dir=in | app=d:\games\steam\steamapps\common\serious sam 3\bin\sam3.exe |
"{7C003B40-082C-4C0D-8A8A-94049A0746FE}" = protocol=6 | dir=in | app=d:\games\steam\steamapps\common\dota 2 beta\dota.exe |
"{7CAE8907-DFC0-41F7-81D7-3E2D326A3351}" = protocol=17 | dir=in | app=d:\games\steam\steamapps\common\magic 2013\dotp_d13.exe |
"{7FE6E4F1-E78A-4EDC-8CB9-A99660D46BBB}" = protocol=6 | dir=in | app=e:\games\steam\steamapps\common\arma 2 operation arrowhead\besetup\setup_battleyearma2oa.exe |
"{834192EE-1AF6-4B3A-9AB8-A956AA48F6E7}" = protocol=17 | dir=in | app=c:\programdata\battle.net\agent\agent.1040\agent.exe |
"{868A5D1F-41F7-4EF5-A8F3-C2EDE533F732}" = protocol=17 | dir=in | app=e:\games\steam\steamapps\common\natural selection 2\ns2.exe |
"{89AD8920-7BC5-4BD5-B118-E80B64551CCD}" = protocol=17 | dir=in | app=d:\games\steam\steamapps\common\dota 2 beta\dota.exe |
"{90FBC3A7-966C-43AA-A9FF-7B561249300D}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{94A3596B-7453-4219-8C22-DC4C6761D85E}" = protocol=6 | dir=in | app=e:\games\steam\steamapps\common\dota 2 beta\dota.exe |
"{9909AE0D-3EAA-466F-8788-187F2B194129}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\ubisoft game launcher\ubisoftgamelauncher.exe |
"{9B07219D-DB6A-4C96-8108-60F7E6D27DA0}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{A01D09A9-49CC-4FE8-BC01-A8D3008F79D0}" = protocol=17 | dir=in | app=d:\games\steam\steamapps\common\serious sam 3\bin\sam3_unrestricted.exe |
"{A0DB6835-2269-4D29-86E7-E794A5D2CEF4}" = protocol=6 | dir=in | app=f:\games\anno2070\anno5.exe |
"{A7C1385C-36B4-4390-9A26-E526B8E0DB83}" = protocol=6 | dir=in | app=e:\games\steam\steamapps\common\natural selection 2\launchpad.exe |
"{A887E353-2EC9-46F4-8FF7-D4C1087CA748}" = protocol=6 | dir=in | app=d:\games\steam\steamapps\common\realm of the mad god\realm of the mad god.exe |
"{AC80B0E5-B942-46E0-98B2-DA5043F34DBD}" = protocol=6 | dir=in | app=d:\games\steam\steamapps\common\natural selection 2\ns2.exe |
"{AF3EDFA8-F812-428F-BB8D-4E69ECCF52F7}" = protocol=6 | dir=in | app=d:\games\steam\steamapps\common\cubemen\cubemen.exe |
"{BD6A378D-5518-40DD-BA19-35D77569F422}" = protocol=17 | dir=in | app=d:\games\steam\steamapps\common\serious sam 3\bin\sam3.exe |
"{C476A7C5-95CA-4724-8A82-8ACC0948051F}" = protocol=17 | dir=in | app=d:\games\steam\steamapps\common\arma 2 operation arrowhead\besetup\setup_battleyearma2oa.exe |
"{C502B590-A127-4540-BAC6-ED9E7581E27A}" = protocol=17 | dir=in | app=d:\games\steam\steamapps\common\arma 2 operation arrowhead\_runa2co.cmd |
"{CCC35817-5A77-41DD-856E-90D13D92FF2F}" = protocol=17 | dir=in | app=d:\games\steam\steamapps\common\realm of the mad god\realm of the mad god.exe |
"{D890B451-5716-4C64-8906-D15020CC1A4F}" = protocol=6 | dir=in | app=d:\games\steam\steamapps\common\arma 2 operation arrowhead\_runa2co.cmd |
"{DC2042D2-53FF-4EF6-AAF4-3317D981FEA9}" = protocol=6 | dir=in | app=e:\games\steam\steamapps\common\hackslashloot\hackslashloot.exe |
"{E035207A-712A-4BAA-BA61-0D34BBB1199B}" = protocol=6 | dir=in | app=d:\games\steam\steamapps\common\magic 2013\dotp_d13.exe |
"{E32677BC-EE1F-4C33-ADB6-ACD05A8587BB}" = protocol=6 | dir=in | app=c:\programdata\battle.net\agent\agent.1040\agent.exe |
"{E9810919-82FE-4DEA-86FC-D2FC22968D29}" = protocol=17 | dir=in | app=d:\games\steam\steamapps\common\natural selection 2\ns2.exe |
"{EC473C10-976D-4C4F-9F0D-03A19B9EBB51}" = protocol=17 | dir=in | app=e:\games\steam\steamapps\common\arma 2 operation arrowhead\_runa2co.cmd |
"{F24069D9-DC94-4E8B-837D-E79B9A76115A}" = protocol=6 | dir=in | app=e:\games\steam\steamapps\common\arma 2\arma2.exe |
"{F51D7611-FFE0-478D-A43F-60C6A0BE248C}" = protocol=17 | dir=in | app=d:\games\steam\steamapps\common\cubemen\cubemen.exe |
"{FD3F0985-04D0-477F-A41F-0EEAAF10ADF6}" = protocol=17 | dir=in | app=d:\games\steam\steamapps\common\natural selection 2\launchpad.exe |
"TCP Query User{1561DC82-A86E-49AC-AA62-4101F72A947C}C:\program files (x86)\java\jre7\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files (x86)\java\jre7\bin\javaw.exe |
"TCP Query User{15CF477D-216A-4B47-BA95-1FD6C457CDEC}E:\games\dead space 2\deadspace2.exe" = protocol=6 | dir=in | app=e:\games\dead space 2\deadspace2.exe |
"TCP Query User{2B18C8C9-4A32-49D2-9C54-7035CDF5B49F}C:\windows\system32\java.exe" = protocol=6 | dir=in | app=c:\windows\system32\java.exe |
"TCP Query User{2DE05F73-C784-42CE-9D9E-D775AE80B9CB}E:\apps\winamp\winamp.exe" = protocol=6 | dir=in | app=e:\apps\winamp\winamp.exe |
"TCP Query User{402EF7EC-EA40-41CC-B303-44210C3C6C10}E:\apps\qip infium\infium.exe" = protocol=6 | dir=in | app=e:\apps\qip infium\infium.exe |
"TCP Query User{4D2256F4-4CE2-4717-8620-F5E761E5C9A6}E:\apps\qip infium\infium.exe" = protocol=6 | dir=in | app=e:\apps\qip infium\infium.exe |
"TCP Query User{586118B8-AA3B-4B55-AB50-31FCE6EF04B3}E:\apps\icechat7\icechat7.exe" = protocol=6 | dir=in | app=e:\apps\icechat7\icechat7.exe |
"TCP Query User{5DCE2DA5-1926-4D5E-8E77-30D8897806F2}D:\games\orcs must die 2\build\release\orcsmustdie2.exe" = protocol=6 | dir=in | app=d:\games\orcs must die 2\build\release\orcsmustdie2.exe |
"TCP Query User{766026A6-BD7D-4CB1-ACA8-27C699075CCD}D:\games\steam\steam.exe" = protocol=6 | dir=in | app=d:\games\steam\steam.exe |
"TCP Query User{804BD42E-02B7-4002-8D63-C4B2E5FA0F89}F:\games\diablo iii\diablo iii.exe" = protocol=6 | dir=in | app=f:\games\diablo iii\diablo iii.exe |
"TCP Query User{93812D0D-CD63-4A33-803F-4F97875016A6}E:\games\suxupdater\tools\bin\rsync.exe" = protocol=6 | dir=in | app=e:\games\suxupdater\tools\bin\rsync.exe |
"TCP Query User{AA61333E-0E51-4A15-9C7A-D60F2323E723}E:\games\men of war condemned heroes\condemned heroes.exe" = protocol=6 | dir=in | app=e:\games\men of war condemned heroes\condemned heroes.exe |
"TCP Query User{B4AF929B-5018-42AE-A715-DEDACD9969F2}D:\games\thewhitcher2\bin\witcher2.exe" = protocol=6 | dir=in | app=d:\games\thewhitcher2\bin\witcher2.exe |
"TCP Query User{B6DDC33C-3FEE-42D4-ADEE-CF2AA69BDAAF}C:\programdata\battle.net\agent\agent.524\agent.exe" = protocol=6 | dir=in | app=c:\programdata\battle.net\agent\agent.524\agent.exe |
"TCP Query User{C1162F77-EEBB-49A4-9D25-3BEA8E512008}E:\apps\winamp\winamp.exe" = protocol=6 | dir=in | app=e:\apps\winamp\winamp.exe |
"TCP Query User{C9E239A3-A801-4B8D-B9C6-800E79F31729}E:\games\steam\steamapps\common\arma 2 operation arrowhead\expansion\beta\arma2oa.exe" = protocol=6 | dir=in | app=e:\games\steam\steamapps\common\arma 2 operation arrowhead\expansion\beta\arma2oa.exe |
"TCP Query User{D1E4D631-38BF-4F33-9CB3-023016B907ED}E:\apps\jre7\bin\javaw.exe" = protocol=6 | dir=in | app=e:\apps\jre7\bin\javaw.exe |
"TCP Query User{D5569441-BD63-41C7-BC7C-723C8AD400B9}F:\games\world_of_tanks\worldoftanks.exe" = protocol=6 | dir=in | app=f:\games\world_of_tanks\worldoftanks.exe |
"TCP Query User{EBF93C2A-D464-4BE8-8E7E-9895470BEDFF}E:\apps\java\bin\javaw.exe" = protocol=6 | dir=in | app=e:\apps\java\bin\javaw.exe |
"TCP Query User{FA409024-B3B7-45EA-B516-B08D2628266A}F:\games\world_of_tanks\wotlauncher.exe" = protocol=6 | dir=in | app=f:\games\world_of_tanks\wotlauncher.exe |
"UDP Query User{07BC9535-CEAE-47E6-9537-2A734AAA3368}E:\apps\jre7\bin\javaw.exe" = protocol=17 | dir=in | app=e:\apps\jre7\bin\javaw.exe |
"UDP Query User{2332C4A5-AB31-483E-9F24-3CBA33F0B41E}E:\apps\icechat7\icechat7.exe" = protocol=17 | dir=in | app=e:\apps\icechat7\icechat7.exe |
"UDP Query User{24033BF6-AA78-48DC-A155-50EDF44EE458}E:\games\steam\steamapps\common\arma 2 operation arrowhead\expansion\beta\arma2oa.exe" = protocol=17 | dir=in | app=e:\games\steam\steamapps\common\arma 2 operation arrowhead\expansion\beta\arma2oa.exe |
"UDP Query User{4144B225-F1EE-4AE7-B37F-062DF6654D94}D:\games\orcs must die 2\build\release\orcsmustdie2.exe" = protocol=17 | dir=in | app=d:\games\orcs must die 2\build\release\orcsmustdie2.exe |
"UDP Query User{499DDED2-E33F-462D-8F1C-29F375180099}D:\games\thewhitcher2\bin\witcher2.exe" = protocol=17 | dir=in | app=d:\games\thewhitcher2\bin\witcher2.exe |
"UDP Query User{5B8EE835-29A2-4756-8859-568A8264F9B1}E:\games\dead space 2\deadspace2.exe" = protocol=17 | dir=in | app=e:\games\dead space 2\deadspace2.exe |
"UDP Query User{68264CDE-9840-4A90-BEE9-CAE02A212084}F:\games\diablo iii\diablo iii.exe" = protocol=17 | dir=in | app=f:\games\diablo iii\diablo iii.exe |
"UDP Query User{6A8F8562-955F-4CA6-B531-324AE432D103}E:\apps\java\bin\javaw.exe" = protocol=17 | dir=in | app=e:\apps\java\bin\javaw.exe |
"UDP Query User{6E4A8DAD-87BB-415D-ABA0-B317D6EF2EE5}C:\windows\system32\java.exe" = protocol=17 | dir=in | app=c:\windows\system32\java.exe |
"UDP Query User{7075A9E5-37D2-42C7-A15E-622E4B66AF41}E:\apps\winamp\winamp.exe" = protocol=17 | dir=in | app=e:\apps\winamp\winamp.exe |
"UDP Query User{7154214E-0C12-4CBB-8985-36026B3E0947}F:\games\world_of_tanks\worldoftanks.exe" = protocol=17 | dir=in | app=f:\games\world_of_tanks\worldoftanks.exe |
"UDP Query User{829F47AB-3F39-4CC0-9332-1087191DED06}E:\apps\qip infium\infium.exe" = protocol=17 | dir=in | app=e:\apps\qip infium\infium.exe |
"UDP Query User{9AD973E9-ACDE-4E19-966C-0C6D017B750A}E:\games\men of war condemned heroes\condemned heroes.exe" = protocol=17 | dir=in | app=e:\games\men of war condemned heroes\condemned heroes.exe |
"UDP Query User{C3AFA5DE-3E38-4217-9164-18F868F76DF5}C:\programdata\battle.net\agent\agent.524\agent.exe" = protocol=17 | dir=in | app=c:\programdata\battle.net\agent\agent.524\agent.exe |
"UDP Query User{CB6073AE-8BC0-4D2A-B3EB-E679B6DDFE72}C:\program files (x86)\java\jre7\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files (x86)\java\jre7\bin\javaw.exe |
"UDP Query User{D1D5A192-FE4D-4D46-8D6E-DF0C40C4AE63}E:\games\suxupdater\tools\bin\rsync.exe" = protocol=17 | dir=in | app=e:\games\suxupdater\tools\bin\rsync.exe |
"UDP Query User{D5F313AA-7F98-452D-9623-BEC9606A086A}F:\games\world_of_tanks\wotlauncher.exe" = protocol=17 | dir=in | app=f:\games\world_of_tanks\wotlauncher.exe |
"UDP Query User{DD9239F2-662F-4124-95F7-2BA0C9CEE810}E:\apps\winamp\winamp.exe" = protocol=17 | dir=in | app=e:\apps\winamp\winamp.exe |
"UDP Query User{EAA33EEC-8849-4E75-9650-E69FABFF946B}E:\apps\qip infium\infium.exe" = protocol=17 | dir=in | app=e:\apps\qip infium\infium.exe |
"UDP Query User{FEEA004B-03F6-4F7F-8AA4-346B6AC3709E}D:\games\steam\steam.exe" = protocol=17 | dir=in | app=d:\games\steam\steam.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0E3DAF3D-FF69-345A-A99E-1FED304CA083}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{119B2F5A-2A06-DB96-FF28-992EC2A10BDF}" = AMD Accelerated Video Transcoding
"{2E8D6204-D656-8355-1ED3-2988AC52EB0F}" = ccc-utility64
"{3ABFAF33-D6EE-9348-CE96-AF51E9D6D2FF}" = AMD Drag and Drop Transcoding
"{503F672D-6C84-448A-8F8F-4BC35AC83441}" = AMD APP SDK Runtime
"{529125EF-E3AC-4B74-97E6-F688A7C0F1C0}" = Paint.NET v3.5.10
"{5831C6D6-309D-DBB5-14F7-FEE57086CEE7}" = AMD Catalyst Install Manager
"{61A177CE-86A3-433F-BFE2-41AB9123A268}" = ESET NOD32 Antivirus
"{63CE6C32-1EB3-4C51-89FC-9FD96A661A9C}" = AMD Media Foundation Decoders
"{6A76BEAF-6D1F-4273-A79B-DA8410A2E56B}" = Apple Mobile Device Support
"{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour
"{840A3BAA-4C68-4581-9C7A-6F8D6CF531B9}" = iTunes
"{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"4144-4862-0472-7103" = WorldPainter 0.9.2
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"WinRAR archiver" = WinRAR 4.20 (64-Bit)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{03D4C700-2BFE-43E0-A0B4-9512B43C5B9F}" = Catalyst Control Center - Branding
"{122ADF8C-DDA1-480C-9936-C88F2825B265}" = Apple Application Support
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
"{19D614EB-D62A-AEE7-2391-E74126601D59}" = CCC Help Italian
"{1C373820-B9C8-0F7F-8F84-FC1B76A85F27}" = CCC Help Portuguese
"{26A24AE4-039D-4CA4-87B4-2F83217006FF}" = Java 7 Update 6
"{2D35BC33-7D08-D529-DF91-8A15FBF2600E}" = CCC Help Polish
"{2D8CED57-CCDB-4D86-9087-3BBCAE8F8F22}" = Six Updater
"{337788D1-43D1-9A0F-9787-DD00DB512D41}" = Catalyst Control Center Localization All
"{4725833D-4325-5C34-57D4-1FE23E5AE578}" = CCC Help Chinese Standard
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B271648-43CB-DD31-FF24-E7B06D3EE72A}" = Catalyst Control Center InstallProxy
"{4DC37F33-7AEC-A4CB-56B1-69A402828763}" = CCC Help Japanese
"{5710DAC2-8F2A-503C-CFC2-A973ADE0EA4C}" = CCC Help Czech
"{5C763682-4C40-86DA-9C46-31924D7D2C34}" = CCC Help Thai
"{60E5022D-FA4B-C6A2-1E80-B46EC39096F3}" = CCC Help Chinese Traditional
"{60F34FDF-267C-408F-290E-EC90D841C8CB}" = CCC Help German
"{66B79AE1-C6E2-B958-689C-D0812DE86BAB}" = CCC Help Greek
"{6B39BE0F-0F5E-A8FA-33E4-8481AE39D96C}" = CCC Help Russian
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{888F1505-C2B3-4FDE-835D-36353EBD4754}" = Ubisoft Game Launcher
"{8E19F2AF-7145-51DE-E395-7729A9374973}" = Catalyst Control Center Graphics Previews Common
"{91CB5B8B-4EC8-DBA1-A88D-99FD480567B0}" = CCC Help English
"{924FBAC4-60D2-7981-3C3E-979DF9CBB346}" = CCC Help Finnish
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9DC939DC-B7A4-D0E2-C582-A442DF1B3EBE}" = CCC Help Spanish
"{A1BD938B-F006-6E6D-70B2-47E1DD56F7DE}" = CCC Help Swedish
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.4) - Deutsch
"{B48E264C-C8CD-4617-B0BE-46E977BAD694}" = ANNO 2070
"{BABF7852-C2DD-6A8A-9956-101720C715C7}" = CCC Help Turkish
"{BB7C2A56-9706-43B8-5A8C-210AF5816106}" = CCC Help French
"{CA328CDF-A284-445E-AAE7-B24A11E97201}" = MechWarrior Online
"{CFC2CB60-5654-05A7-4D30-C661800A3A92}" = CCC Help Korean
"{D04CE005-D1D2-80F3-84C8-B3524FCD39C3}" = CCC Help Norwegian
"{D544AE4C-4152-225B-A897-6756C8986B14}" = Catalyst Control Center
"{D81E9069-3CCC-4405-3751-71E4AFEACC52}" = CCC Help Hungarian
"{E93FF166-DF14-2537-8FB4-96BB5810A96C}" = CCC Help Danish
"{F0A209B7-7F85-4BDD-8F1F-B98EEAD9E04B}" = The Witcher 2
"{FA66CFD7-0977-4C45-AACD-A8BB994B1A05}" = Quake Live Mozilla Plugin
"{FA9827E1-8A8E-C176-4923-0840A67ED4DE}" = CCC Help Dutch
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"AnyDVD" = AnyDVD
"BattlEye for A2" = BattlEye Uninstall
"BattlEye for OA" = BattlEye for OA Uninstall
"DAEMON Tools Lite" = DAEMON Tools Lite
"Darksiders II_is1" = Darksiders II
"Endless Space_is1" = Endless Space
"EVEREST Ultimate Edition_is1" = EVEREST Ultimate Edition v5.50
"IceChat_is1" = IceChat 7.70 (Build 20101031)
"IrfanView" = IrfanView (remove only)
"Legends of Pegasus_is1" = Legends of Pegasus
"MiNODLogin" = ESET Antivirus License Finder (MiNODLogin)
"MozBackup" = MozBackup 1.5.1
"Mozilla Firefox 14.0.1 (x86 de)" = Mozilla Firefox 14.0.1 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Notepad++" = Notepad++
"Orcs Must Die 2_is1" = Orcs Must Die 2
"Sid Meier's Civilization V - Gods and Kings_is1" = Sid Meier's Civilization V - Gods and Kings
"Sins of a Solar Empire Rebellion (c) Stardock_is1" = Sins of a Solar Empire Rebellion (c) Stardock version 1
"Steam App 200210" = Realm of the Mad God
"Steam App 207250" = Cubemen
"Steam App 207430" = Hack, Slash, Loot
"Steam App 220" = Half-Life 2
"Steam App 33910" = ARMA 2
"Steam App 33930" = ARMA 2: Operation Arrowhead
"Steam App 340" = Half-Life 2: Lost Coast
"Steam App 380" = Half-Life 2: Episode One
"Steam App 420" = Half-Life 2: Episode Two
"Steam App 440" = Team Fortress 2
"Steam App 570" = Dota 2
"Steam App 97330" = Magic: The Gathering - Duels of the Planeswalkers 2013
"VLC media player" = VLC media player 2.0.1
"Winamp" = Winamp
========== HKEY_USERS Uninstall List ==========
[HKEY_USERS\S-1-5-21-72721436-1853332672-4045996675-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{4f004f4a-1930-4b55-83e6-61660211787f}" = MechWarrior Online
"CopyTrans Suite" = Nur Entfernen der CopyTrans Suite möglich
"Google Chrome" = Google Chrome
"QIP Infium" = QIP Infium 3.0.9044
"Winamp Detect" = Winamp Erkennungs-Plug-in
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 28.08.2012 10:51:22 | Computer Name = ZweckformerPC2 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 7067
Error - 28.08.2012 10:51:23 | Computer Name = ZweckformerPC2 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
Error - 28.08.2012 10:51:23 | Computer Name = ZweckformerPC2 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 8066
Error - 28.08.2012 10:51:23 | Computer Name = ZweckformerPC2 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 8066
Error - 29.08.2012 03:17:31 | Computer Name = ZweckformerPC2 | Source = WinMgmt | ID = 10
Description =
Error - 29.08.2012 05:50:16 | Computer Name = ZweckformerPC2 | Source = WinMgmt | ID = 10
Description =
Error - 29.08.2012 06:04:38 | Computer Name = ZweckformerPC2 | Source = WinMgmt | ID = 10
Description =
Error - 29.08.2012 06:13:15 | Computer Name = ZweckformerPC2 | Source = WinMgmt | ID = 10
Description =
Error - 29.08.2012 06:16:15 | Computer Name = ZweckformerPC2 | Source = Microsoft-Windows-CAPI2 | ID = 512
Description = Vom Kryptografiedienst konnte das VSS-Sicherungsobjekt "System Writer"
nicht initialisiert werden. Details: Could not query the status of the EventSystem
service. System Error: Der Computer wird heruntergefahren. .
Error - 29.08.2012 06:19:24 | Computer Name = ZweckformerPC2 | Source = WinMgmt | ID = 10
Description =
[ System Events ]
Error - 29.08.2012 08:35:20 | Computer Name = ZweckformerPC2 | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068
Error - 29.08.2012 08:35:20 | Computer Name = ZweckformerPC2 | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068
Error - 29.08.2012 08:35:20 | Computer Name = ZweckformerPC2 | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068
Error - 29.08.2012 08:35:20 | Computer Name = ZweckformerPC2 | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068
Error - 29.08.2012 08:35:20 | Computer Name = ZweckformerPC2 | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068
Error - 29.08.2012 08:35:24 | Computer Name = ZweckformerPC2 | Source = DCOM | ID = 10005
Description =
Error - 29.08.2012 08:35:24 | Computer Name = ZweckformerPC2 | Source = DCOM | ID = 10005
Description =
Error - 29.08.2012 08:35:24 | Computer Name = ZweckformerPC2 | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068
Error - 29.08.2012 09:02:30 | Computer Name = ZweckformerPC2 | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068
Error - 29.08.2012 10:15:06 | Computer Name = ZweckformerPC2 | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068
< End of report >
Die Dateien aus dem _OTL Ordner der auf D: lag sowie der "cache" Ordner aus dem Java-pfad habe ich über den Uploadchannel hochgeladen. vielen dank fuer die Hilfe!!! mfg |
|
29.08.2012, 16:07
| #4 | |
| /// Malware-holic | GVU-Trojaner (Variation von 2.07 da Bild minimal abweicht) sehr gut Combofix darf ausschließlich ausgeführt werden, wenn dies von einem Team Mitglied angewiesen wurde!Downloade dir bitte Combofix von einem dieser Downloadspiegel Link 1 Link 2 WICHTIG - Speichere Combofix auf deinem Desktop
Wenn Combofix fertig ist, wird es eine Logfile erstellen. Bitte poste die C:\Combofix.txt in deiner nächsten Antwort. Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten Zitat:
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
|
29.08.2012, 17:10
| #5 |
| | GVU-Trojaner (Variation von 2.07 da Bild minimal abweicht) Ok, ist erledigt. Anbei die Auswertung der ComboFix.exe: [CODE] Combofix Logfile: Code:
ATTFilter ComboFix 12-08-28.03 - Zweckformer 29.08.2012 18:00:25.2.4 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.49.1031.18.8190.6403 [GMT 2:00]
ausgeführt von:: d:\users\DenDe\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
d:\users\DenDe\AppData\Roaming\msconfig.ini
.
.
((((((((((((((((((((((( Dateien erstellt von 2012-07-28 bis 2012-08-29 ))))))))))))))))))))))))))))))
.
.
2012-08-29 14:22 . 2012-08-27 23:49 9310152 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DB332942-1681-4B3B-92E2-B883A403F285}\mpengine.dll
2012-08-29 11:51 . 2012-08-29 11:51 -------- d-----w- C:\found.000
2012-08-29 10:46 . 2012-08-29 16:04 -------- d-----w- c:\windows\system32\wbem\repository
2012-08-23 08:27 . 2012-08-23 08:27 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-08-23 08:27 . 2012-08-23 08:27 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-08-23 08:27 . 2012-08-23 08:27 -------- d-----w- c:\program files (x86)\Java
2012-08-20 21:27 . 2012-08-20 21:38 -------- d-----w- d:\users\DenDe\AppData\Local\Darksiders2
2012-08-19 21:37 . 2012-06-29 03:49 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-08-19 21:22 . 2012-08-19 21:22 -------- d-----w- C:\Games
2012-08-19 21:22 . 2012-08-19 21:22 -------- d-----w- d:\users\DenDe\AppData\Local\Package Cache
2012-08-13 16:36 . 2012-08-13 16:36 -------- d-----w- c:\programdata\RELOADED
2012-08-11 10:42 . 2012-08-11 10:42 -------- d-----w- d:\users\DenDe\AppData\Roaming\RotMG.Production
2012-08-07 19:49 . 2012-08-07 19:49 -------- d-----w- d:\users\DenDe\AppData\Local\Adobe
2012-08-06 18:39 . 2012-08-06 18:39 -------- d-----w- d:\users\DenDe\AppData\Roaming\Natural Selection 2
2012-08-04 21:23 . 2012-08-04 21:23 -------- d-----w- d:\users\DenDe\AppData\Roaming\HackSlashLoot
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-23 08:27 . 2012-06-21 15:03 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-08-21 18:39 . 2012-06-26 08:42 916456 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-21 18:39 . 2012-06-26 08:42 1034216 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-19 21:36 . 2012-06-22 07:56 62134624 ----a-w- c:\windows\system32\MRT.exe
2012-08-19 18:50 . 2012-07-20 19:18 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-19 18:50 . 2012-07-20 19:18 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-29 21:38 . 2012-06-29 21:36 283200 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-06-21 16:22 . 2012-06-21 16:22 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-06-21 16:22 . 2012-06-21 16:22 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2012-06-21 16:22 . 2012-06-21 16:22 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-06-21 16:22 . 2012-06-21 16:22 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-06-21 16:22 . 2012-06-21 16:22 89088 ----a-w- c:\windows\system32\ie4uinit.exe
2012-06-21 16:22 . 2012-06-21 16:22 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2012-06-21 16:22 . 2012-06-21 16:22 85504 ----a-w- c:\windows\system32\iesetup.dll
2012-06-21 16:22 . 2012-06-21 16:22 82432 ----a-w- c:\windows\system32\icardie.dll
2012-06-21 16:22 . 2012-06-21 16:22 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2012-06-21 16:22 . 2012-06-21 16:22 76800 ----a-w- c:\windows\system32\tdc.ocx
2012-06-21 16:22 . 2012-06-21 16:22 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2012-06-21 16:22 . 2012-06-21 16:22 65024 ----a-w- c:\windows\system32\pngfilt.dll
2012-06-21 16:22 . 2012-06-21 16:22 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2012-06-21 16:22 . 2012-06-21 16:22 55296 ----a-w- c:\windows\system32\msfeedsbs.dll
2012-06-21 16:22 . 2012-06-21 16:22 534528 ----a-w- c:\windows\system32\ieapfltr.dll
2012-06-21 16:22 . 2012-06-21 16:22 49664 ----a-w- c:\windows\system32\imgutil.dll
2012-06-21 16:22 . 2012-06-21 16:22 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2012-06-21 16:22 . 2012-06-21 16:22 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-06-21 16:22 . 2012-06-21 16:22 452608 ----a-w- c:\windows\system32\dxtmsft.dll
2012-06-21 16:22 . 2012-06-21 16:22 448512 ----a-w- c:\windows\system32\html.iec
2012-06-21 16:22 . 2012-06-21 16:22 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-06-21 16:22 . 2012-06-21 16:22 403248 ----a-w- c:\windows\system32\iedkcs32.dll
2012-06-21 16:22 . 2012-06-21 16:22 39936 ----a-w- c:\windows\system32\iernonce.dll
2012-06-21 16:22 . 2012-06-21 16:22 3695416 ----a-w- c:\windows\system32\ieapfltr.dat
2012-06-21 16:22 . 2012-06-21 16:22 367104 ----a-w- c:\windows\SysWow64\html.iec
2012-06-21 16:22 . 2012-06-21 16:22 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2012-06-21 16:22 . 2012-06-21 16:22 282112 ----a-w- c:\windows\system32\dxtrans.dll
2012-06-21 16:22 . 2012-06-21 16:22 267776 ----a-w- c:\windows\system32\ieaksie.dll
2012-06-21 16:22 . 2012-06-21 16:22 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-06-21 16:22 . 2012-06-21 16:22 222208 ----a-w- c:\windows\system32\msls31.dll
2012-06-21 16:22 . 2012-06-21 16:22 197120 ----a-w- c:\windows\system32\msrating.dll
2012-06-21 16:22 . 2012-06-21 16:22 163840 ----a-w- c:\windows\system32\ieakui.dll
2012-06-21 16:22 . 2012-06-21 16:22 160256 ----a-w- c:\windows\system32\ieakeng.dll
2012-06-21 16:22 . 2012-06-21 16:22 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2012-06-21 16:22 . 2012-06-21 16:22 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2012-06-21 16:22 . 2012-06-21 16:22 149504 ----a-w- c:\windows\system32\occache.dll
2012-06-21 16:22 . 2012-06-21 16:22 145920 ----a-w- c:\windows\system32\iepeers.dll
2012-06-21 16:22 . 2012-06-21 16:22 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-06-21 16:22 . 2012-06-21 16:22 12288 ----a-w- c:\windows\system32\mshta.exe
2012-06-21 16:22 . 2012-06-21 16:22 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2012-06-21 16:22 . 2012-06-21 16:22 114176 ----a-w- c:\windows\system32\admparse.dll
2012-06-21 16:22 . 2012-06-21 16:22 111616 ----a-w- c:\windows\system32\iesysprep.dll
2012-06-21 16:22 . 2012-06-21 16:22 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2012-06-21 16:22 . 2012-06-21 16:22 10752 ----a-w- c:\windows\system32\msfeedssync.exe
2012-06-21 16:22 . 2012-06-21 16:22 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2012-06-21 16:22 . 2012-06-21 16:22 697344 ----a-w- c:\windows\system32\msfeeds.dll
2012-06-21 16:22 . 2012-06-21 16:22 603648 ----a-w- c:\windows\system32\vbscript.dll
2012-06-21 16:22 . 2012-06-21 16:22 30720 ----a-w- c:\windows\system32\licmgr10.dll
2012-06-21 16:22 . 2012-06-21 16:22 249344 ----a-w- c:\windows\system32\webcheck.dll
2012-06-21 16:22 . 2012-06-21 16:22 165888 ----a-w- c:\windows\system32\iexpress.exe
2012-06-21 16:22 . 2012-06-21 16:22 160256 ----a-w- c:\windows\system32\wextract.exe
2012-06-21 16:22 . 2012-06-21 16:22 103936 ----a-w- c:\windows\system32\inseng.dll
2012-06-09 05:43 . 2012-07-11 05:57 14172672 ----a-w- c:\windows\system32\shell32.dll
2012-06-06 06:06 . 2012-07-11 05:57 2004480 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 06:06 . 2012-07-11 05:57 1881600 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 06:02 . 2012-07-11 05:57 1133568 ----a-w- c:\windows\system32\cdosys.dll
2012-06-06 05:05 . 2012-07-11 05:57 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-06 05:05 . 2012-07-11 05:57 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-06 05:03 . 2012-07-11 05:57 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
2012-06-02 22:19 . 2012-06-22 08:06 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-22 08:07 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-22 08:07 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-22 08:07 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-22 08:06 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-22 08:07 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-22 08:06 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 13:19 . 2012-06-22 08:06 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 13:15 . 2012-06-22 08:06 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 05:50 . 2012-07-11 05:57 458704 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 05:48 . 2012-07-11 05:57 95600 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 05:48 . 2012-07-11 05:57 151920 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 05:45 . 2012-07-11 05:57 340992 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 05:44 . 2012-07-11 05:57 307200 ----a-w- c:\windows\system32\ncrypt.dll
2012-06-02 04:40 . 2012-07-11 05:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2012-06-02 04:40 . 2012-07-11 05:57 225280 ----a-w- c:\windows\SysWow64\schannel.dll
2012-06-02 04:39 . 2012-07-11 05:57 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll
2012-06-02 04:34 . 2012-07-11 05:57 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="e:\apps\DAEMON Tools Lite\DTLite.exe" [2012-04-11 3672384]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-05 641664]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"iTunesHelper"="e:\apps\Itunes\iTunesHelper.exe" [2012-06-07 421776]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-19 250056]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 EverestDriver;Lavalys EVEREST Kernel Driver;e:\apps\EVEREST Ultimate Edition\kerneld.amd64 [2010-03-30 26752]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-14 113120]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-04-25 52736]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-06-29 283200]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2011-08-04 146432]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-04-06 236544]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2011-08-09 202576]
S2 ekrn;ESET Service;e:\apps\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2011-09-22 974944]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2011-08-04 137144]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2012-04-06 11174400]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2012-04-06 343040]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-02-23 95760]
.
.
--- Andere Dienste/Treiber im Speicher ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f7eab56-bc40-11e1-9592-0023ae616502}]
\shell\AutoRun\command - K:\Setup.exe
.
Inhalt des "geplante Tasks" Ordners
.
2012-08-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-20 18:50]
.
2012-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-72721436-1853332672-4045996675-1001Core.job
- d:\users\DenDe\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-20 19:07]
.
2012-08-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-72721436-1853332672-4045996675-1001UA.job
- d:\users\DenDe\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-20 19:07]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="e:\apps\ESET\ESET NOD32 Antivirus\egui.exe" [2011-09-22 4035152]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 217.0.43.129 192.168.0.1
FF - ProfilePath - d:\users\DenDe\AppData\Roaming\Mozilla\Firefox\Profiles\b4uoubp3.default\
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
AddRemove-BattlEye for A2 - e:\games\steam\steamapps\common\arma 2BattlEye\UnInstallBE.exe
AddRemove-BattlEye for OA - e:\games\steam\steamapps\common\arma 2 operation arrowhead\Expansion\BattlEye\UnInstallBE.exe
AddRemove-Steam App 207250 - e:\games\Steam\steam.exe
AddRemove-Steam App 207430 - e:\games\Steam\steam.exe
AddRemove-Steam App 33910 - e:\games\Steam\steam.exe
AddRemove-Steam App 33930 - e:\games\Steam\steam.exe
AddRemove-Steam App 570 - e:\games\Steam\steam.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EverestDriver]
"ImagePath"="\??\e:\apps\EVEREST Ultimate Edition\kerneld.amd64"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2012-08-29 18:07:39 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2012-08-29 16:07
.
Vor Suchlauf: 8 Verzeichnis(se), 31.276.617.728 Bytes frei
Nach Suchlauf: 13 Verzeichnis(se), 31.244.578.816 Bytes frei
.
- - End Of File - - 4BC448140F933A884870ABAE98DAF28E
mfg |
|
29.08.2012, 17:11
| #6 |
| /// Malware-holic | GVU-Trojaner (Variation von 2.07 da Bild minimal abweicht) hi malwarebytes: Downloade Dir bitte Malwarebytes
__________________ --> GVU-Trojaner (Variation von 2.07 da Bild minimal abweicht) |
|
29.08.2012, 18:03
| #7 |
| | GVU-Trojaner (Variation von 2.07 da Bild minimal abweicht) Hey. Hier der mwb-log Code:
ATTFilter Malwarebytes Anti-Malware 1.62.0.1300 www.malwarebytes.org Datenbank Version: v2012.08.29.05 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Zweckformer :: ZWECKFORMERPC2 [Administrator] 29.08.2012 18:19:13 mbam-log-2012-08-29 (18-19-13).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|E:\|F:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 424507 Laufzeit: 36 Minute(n), 5 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 2 E:\Games\Serious Sam HD - The Second Encounter\TDU5k.exe (Packer.ModifiedUPX) -> Erfolgreich gelöscht und in Quarantäne gestellt. D:\_OTL\MovedFiles\08292012_161544\D_Users\DenDe\AppData\Roaming\msconfig.dat (Trojan.Agent.VGENX) -> Erfolgreich gelöscht und in Quarantäne gestellt. (Ende) gruessle |
|
30.08.2012, 12:07
| #8 |
| /// Malware-holic | GVU-Trojaner (Variation von 2.07 da Bild minimal abweicht) lade den CCleaner standard: CCleaner Download - CCleaner 3.22.1800 falls der CCleaner bereits instaliert, überspringen. instalieren, öffnen, extras, liste der instalierten programme, als txt speichern. öffnen. hinter, jedes von dir benötigte programm, schreibe notwendig. hinter, jedes, von dir nicht benötigte, unnötig. hinter, dir unbekannte, unbekannt. liste posten.
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
|
| Themen zu GVU-Trojaner (Variation von 2.07 da Bild minimal abweicht) |
| andere, bild, eingefangen, entferne, explorer.exe, frage, fragen, gefangen, gen, hallo zusammen, kaspersky, locker, meldungen, minimal, rescue, restore, schei, suche, tower, troja, trojaner, trojaners, unlocker, version, versucht, windows, zusammen |
Linear-Darstellung
