|
Log-Analyse und Auswertung: PC mit ZeuS/ZBot infiziert? Logs liegen vor.Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
16.01.2013, 17:05 | #1 |
| PC mit ZeuS/ZBot infiziert? Logs liegen vor. Hey, über Weihnachten war ich bei meinen Eltern und habe dort auch ihren Internetanschluss mit meinem Laptop benutzt. Heute haben meine Eltern dann einen Brief von der Telekom bekommen, in dem darauf hingewiesen wird, dass ein PC, der diesen Anschluss benutzt oder benutzt hat, mit ZeuS/ZBot infiziert ist. Jetzt besteht natürlich die Möglichkeit, dass der entsprechende PC meiner ist. Wobei ich die Wahrscheinlichkeit jedoch eher als gering einschätze und glaube, dass es einer meiner Eltern ist. Trotzdem würde ich gerne Gewissheit haben! Auch um ihnen dann helfen zu können. Ich wäre also sehr dankbar, wenn sich jmd von euch mal die Logs anschauen und etwas dazu sagen könnte! Möchte ja auch nicht direkt mit Kanonen auf Spatzen schießen. Code:
ATTFilter Malwarebytes Anti-Malware 1.70.0.1100 www.malwarebytes.org Datenbank Version: v2013.01.16.03 Windows Vista x86 NTFS Internet Explorer 7.0.6000.16982 sydney :: SYD-PC [Administrator] 16.01.2013 14:02:30 MBAM-log-2013-01-16 (16-15-57).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|E:\|F:\|H:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 550794 Laufzeit: 2 Stunde(n), 12 Minute(n), 43 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 0 (Keine bösartigen Objekte gefunden) (Ende) Code:
ATTFilter OTL logfile created on: 16.01.2013 16:19:09 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = D:\Tools\OTL Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation Internet Explorer (Version = 7.0.6000.16982) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,00 Gb Total Physical Memory | 0,89 Gb Available Physical Memory | 29,72% Memory free 6,19 Gb Paging File | 4,06 Gb Available in Paging File | 65,57% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 140,04 Gb Total Space | 27,73 Gb Free Space | 19,80% Space Free | Partition Type: NTFS Drive D: | 140,00 Gb Total Space | 65,92 Gb Free Space | 47,08% Space Free | Partition Type: NTFS Drive E: | 8,89 Gb Total Space | 3,82 Gb Free Space | 42,98% Space Free | Partition Type: NTFS Drive F: | 9,04 Gb Total Space | 8,97 Gb Free Space | 99,20% Space Free | Partition Type: NTFS Drive H: | 298,02 Gb Total Space | 37,60 Gb Free Space | 12,62% Space Free | Partition Type: FAT32 Computer Name: SYD-PC | User Name: sydney | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - D:\Tools\OTL\OTL.exe (OldTimer Tools) PRC - C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\Programme\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) PRC - C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation) PRC - C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) PRC - C:\Programme\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation) PRC - C:\Windows\explorer.exe (Microsoft Corporation) PRC - C:\Programme\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation) PRC - C:\Programme\NVIDIA Corporation\Display\nvtray.exe (NVIDIA Corporation) PRC - C:\Programme\NVIDIA Corporation\Display\nvxdsync.exe (NVIDIA Corporation) PRC - C:\Programme\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation) PRC - C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated) PRC - D:\Tools\Hamachi\hamachi-2-ui.exe (LogMeIn Inc.) PRC - D:\Tools\Hamachi\hamachi-2.exe (LogMeIn Inc.) PRC - C:\Windows\System32\AEstSrv.exe (Andrea Electronics Corporation) PRC - C:\Windows\System32\stacsv.exe (IDT, Inc.) PRC - C:\Programme\SigmaTel\C-Major Audio\WDM\sttray.exe (IDT, Inc.) PRC - C:\Programme\DellTPad\Apoint.exe (Alps Electric Co., Ltd.) PRC - C:\Programme\DellTPad\ApntEx.exe (Alps Electric Co., Ltd.) PRC - C:\Programme\DellTPad\ApMsgFwd.exe (Alps Electric Co., Ltd.) PRC - C:\Programme\Dell\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.) PRC - C:\Programme\Dell\WIDCOMM\Bluetooth Software\BTStackServer.exe (Broadcom Corporation.) PRC - C:\Programme\Windows Defender\MSASCui.exe (Microsoft Corporation) PRC - C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation) PRC - C:\Programme\DellTPad\hidfind.exe (Alps Electric Co., Ltd.) ========== Modules (No Company Name) ========== MOD - C:\Programme\Mozilla Firefox\mozjs.dll () MOD - C:\Windows\System32\Macromed\Flash\NPSWF32_11_2_202_235.dll () MOD - C:\Programme\NVIDIA Corporation\3D Vision\Nv3DVStreaming.dll () MOD - C:\Programme\Common Files\Apple\Apple Application Support\zlib1.dll () MOD - C:\Programme\Common Files\Apple\Apple Application Support\libxml2.dll () MOD - C:\Programme\Dell\WIDCOMM\Bluetooth Software\BTKeyInd.dll () MOD - C:\Windows\System32\btwhidcs.dll () ========== Services (SafeList) ========== SRV - (BEService) -- C:\Programme\Common Files\BattlEye\BEService.exe () SRV - (MozillaMaintenance) -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation) SRV - (Steam Client Service) -- C:\Program Files\Common Files\Steam\SteamService.exe (Valve Corporation) SRV - (MBAMService) -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation) SRV - (MBAMScheduler) -- C:\Programme\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation) SRV - (nvUpdatusService) -- C:\Programme\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation) SRV - (Stereo Service) -- C:\Programme\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation) SRV - (AdobeARMservice) -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated) SRV - (Hamachi2Svc) -- D:\Tools\Hamachi\hamachi-2.exe (LogMeIn Inc.) SRV - (AESTFilters) -- C:\Windows\System32\AEstSrv.exe (Andrea Electronics Corporation) SRV - (STacSV) -- C:\Windows\System32\stacsv.exe (IDT, Inc.) SRV - (WMPNetworkSvc) -- C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation) SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation) SRV - (Microsoft Office Groove Audit Service) -- C:\Programme\Microsoft Office\Office12\GrooveAuditService.exe (Microsoft Corporation) SRV - (odserv) -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE (Microsoft Corporation) SRV - (ose) -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found DRV - (DFUBTUSB) -- System32\Drivers\frmupgr.sys File not found DRV - (blbdrive) -- C:\Windows\system32\drivers\blbdrive.sys File not found DRV - (MBAMSwissArmy) -- C:\Windows\System32\drivers\mbamswissarmy.sys (Malwarebytes Corporation) DRV - (MBAMProtector) -- C:\Windows\System32\drivers\mbam.sys (Malwarebytes Corporation) DRV - (truecrypt) -- C:\Windows\System32\drivers\truecrypt.sys (TrueCrypt Foundation) DRV - (VBoxNetAdp) -- C:\Windows\System32\drivers\VBoxNetAdp.sys (Oracle Corporation) DRV - (VBoxUSBMon) -- C:\Windows\System32\drivers\VBoxUSBMon.sys (Oracle Corporation) DRV - (VBoxDrv) -- C:\Windows\System32\drivers\VBoxDrv.sys (Oracle Corporation) DRV - (VBoxNetFlt) -- C:\Windows\System32\drivers\VBoxNetFlt.sys (Oracle Corporation) DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation) DRV - (hamachi) -- C:\Windows\System32\drivers\hamachi.sys (LogMeIn, Inc.) DRV - (hidusbf) -- C:\Windows\System32\drivers\hidusbf.sys () DRV - (STHDA) -- C:\Windows\System32\drivers\stwrt.sys (IDT, Inc.) DRV - (ApfiltrService) -- C:\Windows\System32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.) DRV - (bcm4sbxp) -- C:\Windows\System32\drivers\bcm4sbxp.sys (Broadcom Corporation) DRV - (NETw3v32) -- C:\Windows\System32\drivers\NETw3v32.sys (Intel® Corporation) DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio.sys (Conexant Systems, Inc.) DRV - (StarOpen) -- C:\Windows\System32\drivers\StarOpen.sys () ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local> ========== FireFox ========== FF - prefs.js..browser.search.update: false FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..extensions.enabledAddons: info%40youtube-mp3.org:1.0.4 FF - prefs.js..extensions.enabledAddons: %7Bd40f5e7b-d2cf-4856-b441-cc613eeffbe3%7D:1.68 FF - prefs.js..extensions.enabledAddons: %7B1018e4d6-728f-4b20-ad56-37578a4de76b%7D:4.2.5 FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:18.0 FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll () FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation) FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013.01.13 09:56:46 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013.01.13 09:56:32 | 000,000,000 | ---D | M] [2012.05.28 12:41:43 | 000,000,000 | ---D | M] (No name found) -- C:\Users\sydney\AppData\Roaming\mozilla\Extensions [2013.01.08 22:30:46 | 000,000,000 | ---D | M] (No name found) -- C:\Users\sydney\AppData\Roaming\mozilla\Firefox\Profiles\t0ibmuz3.default\extensions [2013.01.08 22:30:46 | 000,000,000 | ---D | M] (Flagfox) -- C:\Users\sydney\AppData\Roaming\mozilla\Firefox\Profiles\t0ibmuz3.default\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b} [2012.06.07 20:59:40 | 000,006,796 | ---- | M] () (No name found) -- C:\Users\sydney\AppData\Roaming\mozilla\firefox\profiles\t0ibmuz3.default\extensions\info@youtube-mp3.org.xpi [2012.12.15 13:16:13 | 000,804,627 | ---- | M] () (No name found) -- C:\Users\sydney\AppData\Roaming\mozilla\firefox\profiles\t0ibmuz3.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2012.05.30 18:56:53 | 000,138,614 | ---- | M] () (No name found) -- C:\Users\sydney\AppData\Roaming\mozilla\firefox\profiles\t0ibmuz3.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi [2012.05.28 12:52:36 | 000,002,454 | ---- | M] () -- C:\Users\sydney\AppData\Roaming\mozilla\firefox\profiles\t0ibmuz3.default\searchplugins\duckduckgo-de.xml [2012.05.28 12:54:11 | 000,001,610 | ---- | M] () -- C:\Users\sydney\AppData\Roaming\mozilla\firefox\profiles\t0ibmuz3.default\searchplugins\ixquick-https---deutsch.xml [2013.01.13 09:56:30 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions [2013.01.13 09:56:46 | 000,262,704 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2012.06.21 12:51:44 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.09.07 16:48:19 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012.06.21 12:51:44 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2012.06.21 12:51:44 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2012.06.21 12:51:44 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2012.06.21 12:51:44 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2006.09.18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (HP Print Clips) - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Programme\HP\Smart Web Printing\hpswp_framework.dll (Hewlett-Packard Co.) O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation) O4 - HKLM..\Run: [Apoint] C:\Programme\DellTPad\Apoint.exe (Alps Electric Co., Ltd.) O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.) O4 - HKLM..\Run: [LogMeIn Hamachi Ui] D:\Tools\Hamachi\hamachi-2-ui.exe (LogMeIn Inc.) O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Programme\SigmaTel\C-Major Audio\WDM\sttray.exe (IDT, Inc.) O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0 O8 - Extra context menu item: Bild an &Bluetooth-Gerät senden... - C:\Programme\Dell\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm () O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O8 - Extra context menu item: Seite an &Bluetooth-Gerät senden... - C:\Programme\Dell\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: HP Sammelmappe - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Programme\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.) O9 - Extra Button: HP Intelligente Auswahl - {700259D7-1666-479a-93B1-3250410481E8} - C:\Programme\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\Dell\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\Dell\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.) O13 - gopher Prefix: missing O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C226E32D-30B0-4EDC-9695-D140F5BF60B4}: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E3872006-2FA4-4830-A364-D575CFFCCDC4}: DhcpNameServer = 192.168.1.1 O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Users\sydney\Pictures\Logos & Wallpaper\Wallpaper\Bushido Jp.jpg O24 - Desktop BackupWallPaper: C:\Users\sydney\Pictures\Logos & Wallpaper\Wallpaper\Bushido Jp.jpg O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O33 - MountPoints2\{cbc7456c-a8a7-11e1-8d31-001dd9ea09dc}\Shell - "" = AutoRun O33 - MountPoints2\{cbc7456c-a8a7-11e1-8d31-001dd9ea09dc}\Shell\AutoRun\command - "" = I:\AUTORUN.EXE O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2013.01.16 14:00:31 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2013.01.15 17:29:42 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\BattlEye [2013.01.14 21:06:22 | 000,000,000 | ---D | C] -- C:\Users\sydney\Desktop\Day Z [2013.01.14 16:17:54 | 000,000,000 | ---D | C] -- C:\Users\sydney\AppData\Local\DayZCommander [2013.01.13 20:45:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SIX Networks [2013.01.13 09:56:29 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [2013.01.12 17:20:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Bohemia Interactive Studio [2013.01.08 19:42:57 | 000,385,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll [2013.01.08 19:42:57 | 000,230,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll [2013.01.08 19:42:57 | 000,161,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieakui.dll [2013.01.08 19:42:57 | 000,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\admparse.dll [2013.01.08 19:42:56 | 002,452,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dat [2013.01.08 19:42:56 | 000,380,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll [2013.01.08 19:42:56 | 000,027,648 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll [2013.01.08 19:42:55 | 000,347,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxtmsft.dll [2013.01.08 19:42:55 | 000,214,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxtrans.dll [2013.01.08 19:42:54 | 000,459,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll [2013.01.08 19:42:53 | 000,180,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll [2013.01.08 19:42:50 | 000,389,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec [2013.01.08 19:42:48 | 000,078,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieencode.dll [2013.01.08 19:42:48 | 000,048,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtmler.dll [2013.01.08 19:42:47 | 001,383,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb [2013.01.08 19:42:46 | 000,671,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll [2013.01.08 19:42:45 | 001,830,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl [2013.01.08 19:42:44 | 000,026,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe [2013.01.08 19:42:41 | 000,044,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\pngfilt.dll [2013.01.08 19:42:40 | 000,070,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe [2013.01.08 19:42:40 | 000,056,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll [2013.01.08 19:42:40 | 000,044,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll [2013.01.08 19:30:02 | 000,622,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\icardagt.exe [2013.01.08 19:30:02 | 000,097,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\infocardapi.dll [2013.01.08 19:30:02 | 000,037,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\infocardcpl.cpl [2013.01.08 19:30:02 | 000,011,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\icardres.dll [2013.01.08 19:29:51 | 000,105,016 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll [2013.01.08 19:29:50 | 000,781,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationNative_v0300.dll [2013.01.08 18:54:37 | 000,000,000 | ---D | C] -- C:\Users\sydney\AppData\Roaming\Play withSIX [2013.01.08 18:54:37 | 000,000,000 | ---D | C] -- C:\Users\sydney\AppData\Local\Play withSIX [2013.01.08 18:53:09 | 000,000,000 | ---D | C] -- C:\Users\sydney\AppData\Local\Downloaded Installations [2013.01.08 18:48:32 | 000,295,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHost.exe [2013.01.08 18:48:32 | 000,099,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHostProxy.dll [2013.01.08 18:48:32 | 000,049,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netfxperf.dll [2013.01.08 18:33:58 | 000,000,000 | ---D | C] -- C:\Users\sydney\AppData\Local\ArmA 2 [2013.01.08 18:33:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Bohemia Interactive [2013.01.07 21:12:00 | 000,000,000 | ---D | C] -- C:\Users\sydney\AppData\Local\ArmA 2 OA [2013.01.07 21:12:00 | 000,000,000 | ---D | C] -- C:\Users\sydney\Documents\ArmA 2 [2013.01.07 21:11:46 | 000,000,000 | ---D | C] -- C:\Users\sydney\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bohemia Interactive [2013.01.05 23:44:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IKEA HomePlanner [2013.01.05 23:44:14 | 000,000,000 | ---D | C] -- C:\Program Files\IKEA HomePlanner [2013.01.05 23:43:24 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard [2013.01.02 20:56:34 | 000,000,000 | ---D | C] -- C:\Users\sydney\AppData\Roaming\Hamachi [2013.01.02 20:36:02 | 000,729,088 | ---- | C] (Indigo Rose Corporation) -- C:\Windows\iun6002.exe [2013.01.02 20:36:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YAWLE [2012.12.26 17:33:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Fox Interactive [2012.12.26 16:49:33 | 000,000,000 | ---D | C] -- C:\Users\sydney\Desktop\LAN ========== Files - Modified Within 30 Days ========== [2013.01.16 15:21:55 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2013.01.16 15:21:55 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2013.01.16 14:01:31 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2013.01.16 13:29:22 | 000,655,154 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2013.01.16 13:29:22 | 000,621,864 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2013.01.16 13:29:22 | 000,121,328 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2013.01.16 13:29:22 | 000,107,588 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2013.01.16 13:21:53 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.01.16 13:21:49 | 3219,173,376 | -HS- | M] () -- C:\hiberfil.sys [2013.01.16 00:20:20 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat [2013.01.10 13:16:50 | 000,172,544 | ---- | M] () -- C:\Users\sydney\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2013.01.08 19:42:58 | 000,385,024 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll [2013.01.08 19:42:57 | 000,230,400 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll [2013.01.08 19:42:57 | 000,161,792 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieakui.dll [2013.01.08 19:42:57 | 000,072,704 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\admparse.dll [2013.01.08 19:42:56 | 002,452,872 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dat [2013.01.08 19:42:56 | 000,380,928 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll [2013.01.08 19:42:56 | 000,027,648 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll [2013.01.08 19:42:55 | 000,347,136 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dxtmsft.dll [2013.01.08 19:42:55 | 000,214,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dxtrans.dll [2013.01.08 19:42:54 | 000,459,264 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll [2013.01.08 19:42:53 | 000,180,736 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll [2013.01.08 19:42:50 | 000,389,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\html.iec [2013.01.08 19:42:48 | 000,078,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieencode.dll [2013.01.08 19:42:48 | 000,048,128 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mshtmler.dll [2013.01.08 19:42:47 | 001,383,424 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb [2013.01.08 19:42:46 | 000,671,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll [2013.01.08 19:42:45 | 001,830,912 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl [2013.01.08 19:42:44 | 000,026,624 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe [2013.01.08 19:42:41 | 000,044,544 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\pngfilt.dll [2013.01.08 19:42:40 | 000,070,656 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe [2013.01.08 19:42:40 | 000,056,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll [2013.01.08 19:42:40 | 000,044,544 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll [2013.01.08 19:30:02 | 000,622,080 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\icardagt.exe [2013.01.08 19:30:02 | 000,097,800 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\infocardapi.dll [2013.01.08 19:30:02 | 000,037,384 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\infocardcpl.cpl [2013.01.08 19:30:02 | 000,011,264 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\icardres.dll [2013.01.08 19:29:51 | 000,105,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll [2013.01.08 19:29:50 | 000,781,344 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\PresentationNative_v0300.dll [2013.01.08 19:22:10 | 032,178,176 | ---- | M] () -- C:\Windows\ocsetup_install_NetFx3.etl [2013.01.08 19:22:10 | 000,458,752 | ---- | M] () -- C:\Windows\ocsetup_cbs_install_NetFx3.perf [2013.01.08 19:22:10 | 000,065,536 | ---- | M] () -- C:\Windows\ocsetup_cbs_install_NetFx3.dpx [2013.01.08 18:48:32 | 000,295,264 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\PresentationHost.exe [2013.01.08 18:48:32 | 000,099,176 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\PresentationHostProxy.dll [2013.01.08 18:48:32 | 000,049,472 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netfxperf.dll [2013.01.05 23:44:38 | 000,002,397 | ---- | M] () -- C:\Users\Public\Desktop\IKEA Home Planner.lnk [2013.01.02 20:35:21 | 000,729,088 | ---- | M] (Indigo Rose Corporation) -- C:\Windows\iun6002.exe ========== Files Created - No Company Name ========== [2013.01.05 23:44:18 | 000,002,397 | ---- | C] () -- C:\Users\Public\Desktop\IKEA Home Planner.lnk [2012.10.07 16:44:50 | 000,019,572 | ---- | C] () -- C:\Windows\hpqins13.dat [2012.10.06 11:13:05 | 000,000,012 | ---- | C] () -- C:\ProgramData\8680 [2012.10.06 11:13:05 | 000,000,012 | ---- | C] () -- C:\ProgramData\4794 [2012.10.06 11:13:05 | 000,000,012 | ---- | C] () -- C:\Users\sydney\AppData\Local\4662 [2012.10.06 11:13:05 | 000,000,012 | ---- | C] () -- C:\Users\sydney\AppData\Roaming\3888 [2012.10.06 11:13:05 | 000,000,012 | ---- | C] () -- C:\ProgramData\1374 [2012.07.29 11:27:59 | 000,122,608 | -H-- | C] () -- C:\Windows\System32\mlfcache.dat [2012.06.23 12:36:43 | 000,000,000 | ---- | C] () -- C:\ProgramData\LauncherAccess.dt [2012.06.23 12:30:12 | 000,005,632 | ---- | C] () -- C:\Windows\System32\drivers\StarOpen.sys [2012.05.28 15:07:21 | 000,002,008 | ---- | C] () -- C:\Windows\System32\drivers\hidusbf.sys [2012.05.28 12:39:08 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat [2012.05.28 12:15:54 | 000,000,528 | ---- | C] () -- C:\Windows\eReg.dat [2012.05.28 11:47:46 | 000,161,926 | ---- | C] () -- C:\Windows\hpoins14.dat [2012.05.28 11:47:46 | 000,002,000 | ---- | C] () -- C:\Windows\hpomdl14.dat [2012.05.28 11:38:03 | 000,101,151 | ---- | C] () -- C:\Windows\War3Unin.dat [2012.05.27 23:35:01 | 000,027,430 | ---- | C] () -- C:\Users\sydney\AppData\Roaming\nvModes.dat [2012.05.27 23:35:01 | 000,027,430 | ---- | C] () -- C:\Users\sydney\AppData\Roaming\nvModes.001 [2012.05.27 22:14:54 | 000,172,544 | ---- | C] () -- C:\Users\sydney\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2012.05.27 21:46:31 | 000,000,680 | ---- | C] () -- C:\Users\sydney\AppData\Local\d3d9caps.dat [2012.05.27 17:35:58 | 000,000,012 | ---- | C] () -- C:\Windows\bthservsdp.dat [2012.05.15 01:21:50 | 000,423,744 | ---- | C] () -- C:\Windows\System32\nvStreaming.exe ========== ZeroAccess Check ========== [2006.11.02 13:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.30 11:55:24 | 011,315,712 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2012.06.30 11:45:30 | 000,614,912 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2006.11.02 10:46:13 | 000,348,672 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both < End of report > Code:
ATTFilter OTL Extras logfile created on: 16.01.2013 16:19:09 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = D:\Tools\OTL Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation Internet Explorer (Version = 7.0.6000.16982) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,00 Gb Total Physical Memory | 0,89 Gb Available Physical Memory | 29,72% Memory free 6,19 Gb Paging File | 4,06 Gb Available in Paging File | 65,57% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 140,04 Gb Total Space | 27,73 Gb Free Space | 19,80% Space Free | Partition Type: NTFS Drive D: | 140,00 Gb Total Space | 65,92 Gb Free Space | 47,08% Space Free | Partition Type: NTFS Drive E: | 8,89 Gb Total Space | 3,82 Gb Free Space | 42,98% Space Free | Partition Type: NTFS Drive F: | 9,04 Gb Total Space | 8,97 Gb Free Space | 99,20% Space Free | Partition Type: NTFS Drive H: | 298,02 Gb Total Space | 37,60 Gb Free Space | 12,62% Space Free | Partition Type: FAT32 Computer Name: SYD-PC | User Name: sydney | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation) .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation) .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" () Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation) Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" () Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.) Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft, Inc.) Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "oobe_av" = 1 "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2674624654-1717120980-701073699-1000] "EnableNotifications" = 0 "EnableNotificationsRef" = 2 ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 ========== Authorized Applications List ========== ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{061D4033-8DE4-4109-AF5B-6E7845B95427}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | "{1C43A921-C46E-4207-A6ED-B2570AB83C31}" = lport=445 | protocol=6 | dir=in | app=system | "{3270E3BA-83DF-4D02-8147-BAE0B57C931C}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe | "{3909C6C5-E53D-45C6-8635-C00614CBB624}" = rport=138 | protocol=17 | dir=out | app=system | "{3A49E10E-7EC1-47D9-BED1-2E6922D3FF84}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | "{654227F5-2834-4E32-8534-66B155381C42}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{7D27967F-54D0-416B-87CE-C29CC7344831}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe | "{8E8D5756-131C-4B84-94DA-BAD78AC497FB}" = lport=138 | protocol=17 | dir=in | app=system | "{9A3409BA-8E2D-421C-A6FA-F095501262F9}" = rport=445 | protocol=6 | dir=out | app=system | "{A6B7C094-CE90-44FC-94DA-D959DC7DEAE4}" = lport=139 | protocol=6 | dir=in | app=system | "{B592CCA8-236E-4DFB-960F-6FF28979E2C0}" = lport=137 | protocol=17 | dir=in | app=system | "{B97E4A89-66AC-4A23-B764-0616DD9BC5E9}" = rport=137 | protocol=17 | dir=out | app=system | "{D5523E7A-257A-439E-8A37-C3294A0D5C45}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=c:\windows\system32\svchost.exe | "{ECFE392B-62ED-4FC2-A4EA-FCA8EF9087E6}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe | "{F0C6708C-6AE6-4E5A-BE20-018D0BF05CDE}" = rport=139 | protocol=6 | dir=out | app=system | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{03BD4888-11EC-489A-BCA5-7FD0CDF0C00B}" = protocol=17 | dir=in | app=d:\games\valve\steam\steamapps\common\payday the heist\payday_win32_release.exe | "{042AE523-F7E8-4EB9-9A15-D7E187ECBFA4}" = protocol=17 | dir=in | app=d:\games\valve\steam\steamapps\common\arma 2 operation arrowhead\arma2oa.exe | "{090C6208-5E47-46F2-A1B6-9B6F229932CB}" = protocol=17 | dir=in | app=d:\games\valve\steam\steamapps\common\defcon\defcon.exe | "{098ED903-8C91-477C-838E-8967E177FC52}" = protocol=6 | dir=in | app=d:\games\valve\steam\steamapps\common\arma 2 operation arrowhead\arma2oa.exe | "{0CC99B9D-9A33-42D2-A8EB-62E4E6C607B7}" = protocol=6 | dir=in | app=d:\games\valve\steam\steamapps\****\counter-strike\hl.exe | "{0FD7B221-27BF-4DFE-970F-8D97906326C5}" = protocol=6 | dir=in | app=d:\games\lucasarts\star wars empire at war\gamedata\sweaw.exe | "{117BCFCC-0078-46B5-9ECB-70ECD792674E}" = protocol=6 | dir=in | app=d:\games\valve\steam\steamapps\common\defcon\defcon.exe | "{11B2D498-0234-472E-998C-8FA9C282E656}" = protocol=17 | dir=in | app=d:\games\lucasarts\star wars empire at war\gamedata\sweaw.exe | "{1C0AF75A-C843-4FE6-9630-1EA37CA82612}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe | "{2ADAC103-0F4B-4B3D-BC4F-C3173580F776}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqpse.exe | "{2C08189E-E828-45BE-B985-77CB974EDFE1}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe | "{2C829643-B24D-4C03-A9B5-8B7B73B7F152}" = protocol=17 | dir=in | app=d:\games\valve\steam\steam.exe | "{2CD0209B-2623-49EC-96B6-3F27E264DCE3}" = protocol=6 | dir=in | app=d:\games\valve\steam\steamapps\****\counter-strike\hl.exe | "{2D74F76A-D7D4-4558-BFAB-C365E895770C}" = dir=in | app=c:\program files\itunes\itunes.exe | "{392D2281-661B-4451-9062-6B324DF797F2}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqsudi.exe | "{3DAC283C-F6F0-4832-8193-B64DA8FAEB23}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | "{40B0C380-F619-463D-B4D4-B7817940D8D5}" = protocol=6 | dir=in | app=d:\games\electronic arts\the battle for middle-earth ii\game.dat | "{42394B63-8463-464F-B8E5-AB0608C01E8E}" = dir=in | app=c:\program files\common files\hp\digital imaging\bin\hpqphotocrm.exe | "{4B9AB00A-7DFE-4C58-B65A-6C6093C00E4B}" = protocol=6 | dir=in | app=d:\games\electronic arts\the battle for middle-earth ii - the rise of the witch-king\game.dat | "{5B6F5731-0681-4A21-9CC3-42560ECAE2BB}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | "{5B92E608-284A-4443-829F-A116C2148C44}" = protocol=17 | dir=in | app=d:\games\valve\steam\steamapps\common\arma 2\arma2.exe | "{6D58D664-CF37-4DCF-B3D6-F062A12FAE09}" = protocol=6 | dir=in | app=d:\games\valve\steam\steamapps\common\arma 2 operation arrowhead\expansion\beta\arma2oa.exe | "{6F19BBD3-F0A8-40AA-9CA7-BF21CD1BFB4F}" = protocol=17 | dir=in | app=d:\games\valve\steam\steamapps\common\left 4 dead 2\left4dead2.exe | "{757AD939-ED22-432B-AB03-B60FEFB0FBE9}" = protocol=17 | dir=in | app=d:\games\valve\steam\steamapps\common\arma 2 operation arrowhead\expansion\beta\arma2oa.exe | "{7BDCBE32-6A23-41BB-A964-2A8B305B2D29}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqpsapp.exe | "{83927628-3ED3-4AB6-AAB1-F1A0EE770FE6}" = protocol=17 | dir=in | app=d:\games\electronic arts\the battle for middle-earth ii\game.dat | "{85B4E44D-8ED6-463F-946A-6E9BA00C60BC}" = protocol=17 | dir=in | app=d:\games\valve\steam\steamapps\common\arma 2 operation arrowhead\besetup\setup_battleyearma2oa.exe | "{8AE574A0-FB94-45C9-9A2F-3B482F0420AD}" = protocol=6 | dir=in | app=d:\games\valve\steam\steamapps\common\payday the heist\payday_win32_release.exe | "{8BE6FCE7-9047-435F-8A65-893E1405570F}" = protocol=6 | dir=in | app=d:\games\valve\steam\steamapps\common\left 4 dead 2\left4dead2.exe | "{95B5B85D-60F7-4ABC-9BD7-86018D24382A}" = protocol=6 | dir=in | app=d:\games\valve\steam\steamapps\common\arma 2 operation arrowhead\besetup\setup_battleyearma2oa.exe | "{97957D23-F2B2-4260-9AC4-72AF11BAE4CB}" = protocol=6 | dir=in | app=d:\games\valve\steam\steamapps\common\arma 2\arma2.exe | "{99AFF01E-7EF7-4687-977A-57E8BC12C86C}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | "{9C0D560E-3F97-4D68-AF63-EFD46650607E}" = protocol=17 | dir=in | app=d:\games\electronic arts\the battle for middle-earth ii - the rise of the witch-king\game.dat | "{9E193A8D-8450-4698-AC3A-D1E56D6F94E5}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | "{A72FCA7E-6B0C-413F-8305-B6DB7CE97B7C}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | "{B7F2E6E3-CC88-46F5-8E5B-0A491C84F93F}" = protocol=6 | dir=in | app=d:\games\valve\steam\steam.exe | "{C1439408-68B4-4182-B71A-2C8D65C2FCBD}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | "{C2665A48-F4FA-4E45-B519-63A2C725AD63}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe | "{CC261739-F456-4CBF-8369-C987F59E9F96}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | "{D43F931A-1C8A-4FCD-9E51-733664CDDEC2}" = protocol=17 | dir=in | app=d:\games\valve\steam\steamapps\****\counter-strike\hl.exe | "{EB0ACD9F-BA50-44EE-BC89-B489627AEEA2}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | "{EFD79307-32DF-4DFA-B851-C8B5845C5346}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | "{FC79AE8A-5A81-4E11-A29F-A45F3AF1873B}" = protocol=17 | dir=in | app=d:\games\valve\steam\steamapps\****\counter-strike\hl.exe | "TCP Query User{050B4E2A-15E0-4F7F-910E-8FDE28B4FC6A}D:\games\valve\left 4 dead 2\left4dead2.exe" = protocol=6 | dir=in | app=d:\games\valve\left 4 dead 2\left4dead2.exe | "TCP Query User{0ADC55F4-D61C-485A-82C1-4403D4D8035F}D:\games\microsoft games\age of empires ii\empires2.icd" = protocol=6 | dir=in | app=d:\games\microsoft games\age of empires ii\empires2.icd | "TCP Query User{0C269670-AF96-49F6-9B7F-C45F46A34200}D:\games\electronic arts\battlefield 1942\bf1942.exe" = protocol=6 | dir=in | app=d:\games\electronic arts\battlefield 1942\bf1942.exe | "TCP Query User{3B14DA31-1D5C-4B99-A9B0-3B4B83A3020C}D:\tools\six networks\play withsix\tools\bin\rsync.exe" = protocol=6 | dir=in | app=d:\tools\six networks\play withsix\tools\bin\rsync.exe | "TCP Query User{422C7F58-FF71-48B4-82A7-AE7930AB2C0E}D:\games\valve\counter-strike source\hl2.exe" = protocol=6 | dir=in | app=d:\games\valve\counter-strike source\hl2.exe | "TCP Query User{4B95B5B7-52B3-4A5D-954E-0DC627DA52A1}D:\games\firefly studios\stronghold crusader\stronghold crusader.exe" = protocol=6 | dir=in | app=d:\games\firefly studios\stronghold crusader\stronghold crusader.exe | "TCP Query User{7CA95303-8560-49C4-93BA-580AAAD780DF}D:\tools\yawle\yawle.exe" = protocol=6 | dir=in | app=d:\tools\yawle\yawle.exe | "TCP Query User{7FA6208D-BA79-47BB-8018-6090C46E4CFB}D:\games\fox\aliens vs. predator 2\lithtech.exe" = protocol=6 | dir=in | app=d:\games\fox\aliens vs. predator 2\lithtech.exe | "TCP Query User{832633F1-1263-4850-8618-7AE887494263}D:\games\firefly studios\stronghold crusader\stronghold_crusader_extreme.exe" = protocol=6 | dir=in | app=d:\games\firefly studios\stronghold crusader\stronghold_crusader_extreme.exe | "TCP Query User{93AD2A85-1457-4971-BBD3-10407AE21BD7}D:\games\microsoft games\age of empires ii\empires2.icd" = protocol=6 | dir=in | app=d:\games\microsoft games\age of empires ii\empires2.icd | "TCP Query User{9482071E-3B6A-4BF3-9216-AFC8A82BC61C}C:\program files\miranda im\miranda32.exe" = protocol=6 | dir=in | app=c:\program files\miranda im\miranda32.exe | "TCP Query User{C2281212-7A96-4483-8CFF-EDA24A2BC10B}C:\program files\winamp\winamp.exe" = protocol=6 | dir=in | app=c:\program files\winamp\winamp.exe | "TCP Query User{C992D648-3538-4AFC-95E8-826B2026424D}C:\users\sydney\documents\arma 2\expansion\beta\arma2oa.exe" = protocol=6 | dir=in | app=c:\users\sydney\documents\arma 2\expansion\beta\arma2oa.exe | "TCP Query User{CCAF5AEF-BAE1-494F-9792-6401117095E9}D:\games\blizzard\warcraft iii\war3.exe" = protocol=6 | dir=in | app=d:\games\blizzard\warcraft iii\war3.exe | "TCP Query User{DCF7B395-4BE6-415D-B510-D4AC40CD8FCA}C:\windows\system32\dplaysvr.exe" = protocol=6 | dir=in | app=c:\windows\system32\dplaysvr.exe | "TCP Query User{FAC464CB-B7AC-400F-9F27-8E6EC1AD8370}C:\program files\miranda im\miranda32.exe" = protocol=6 | dir=in | app=c:\program files\miranda im\miranda32.exe | "UDP Query User{0D66CDED-DE1C-4662-B2D0-18917E9375A7}C:\windows\system32\dplaysvr.exe" = protocol=17 | dir=in | app=c:\windows\system32\dplaysvr.exe | "UDP Query User{12364BA9-5311-4787-8E76-2349445D5E96}D:\games\valve\counter-strike source\hl2.exe" = protocol=17 | dir=in | app=d:\games\valve\counter-strike source\hl2.exe | "UDP Query User{18844847-9A6C-4719-94EA-C9C20C44AC7C}D:\games\electronic arts\battlefield 1942\bf1942.exe" = protocol=17 | dir=in | app=d:\games\electronic arts\battlefield 1942\bf1942.exe | "UDP Query User{18BE3B3E-44A7-4067-9ED9-BD6D8FBB5854}D:\games\blizzard\warcraft iii\war3.exe" = protocol=17 | dir=in | app=d:\games\blizzard\warcraft iii\war3.exe | "UDP Query User{1ADE47B1-FE39-45AC-8098-9C911F91573D}D:\games\firefly studios\stronghold crusader\stronghold crusader.exe" = protocol=17 | dir=in | app=d:\games\firefly studios\stronghold crusader\stronghold crusader.exe | "UDP Query User{282300C2-8D7A-4B5A-B846-495B944E1945}D:\games\valve\left 4 dead 2\left4dead2.exe" = protocol=17 | dir=in | app=d:\games\valve\left 4 dead 2\left4dead2.exe | "UDP Query User{383DA765-1948-4D7C-8C9D-979684510026}D:\games\firefly studios\stronghold crusader\stronghold_crusader_extreme.exe" = protocol=17 | dir=in | app=d:\games\firefly studios\stronghold crusader\stronghold_crusader_extreme.exe | "UDP Query User{3A4009E9-7C24-461D-863B-59FFCB63556A}C:\program files\miranda im\miranda32.exe" = protocol=17 | dir=in | app=c:\program files\miranda im\miranda32.exe | "UDP Query User{3C4B4540-1F62-4E0D-833C-7E7B099CBE1B}D:\games\microsoft games\age of empires ii\empires2.icd" = protocol=17 | dir=in | app=d:\games\microsoft games\age of empires ii\empires2.icd | "UDP Query User{5EBBE300-21E7-441A-8AD5-FF99CCC27414}D:\tools\six networks\play withsix\tools\bin\rsync.exe" = protocol=17 | dir=in | app=d:\tools\six networks\play withsix\tools\bin\rsync.exe | "UDP Query User{8FF70972-4476-4520-8FDD-7FE4D6FAD244}D:\games\fox\aliens vs. predator 2\lithtech.exe" = protocol=17 | dir=in | app=d:\games\fox\aliens vs. predator 2\lithtech.exe | "UDP Query User{B17EEF38-D456-4039-B6D2-0FB04BB58A62}C:\users\sydney\documents\arma 2\expansion\beta\arma2oa.exe" = protocol=17 | dir=in | app=c:\users\sydney\documents\arma 2\expansion\beta\arma2oa.exe | "UDP Query User{C7C67AC2-D4A8-4DD3-8708-FEFB52D08F4B}D:\games\microsoft games\age of empires ii\empires2.icd" = protocol=17 | dir=in | app=d:\games\microsoft games\age of empires ii\empires2.icd | "UDP Query User{D0764A25-4B03-4A0C-9D91-3170F9A94D6D}C:\program files\winamp\winamp.exe" = protocol=17 | dir=in | app=c:\program files\winamp\winamp.exe | "UDP Query User{DABD8BE6-32BB-43B5-9353-529E6279F7AF}D:\tools\yawle\yawle.exe" = protocol=17 | dir=in | app=d:\tools\yawle\yawle.exe | "UDP Query User{F5B727E8-68D6-4DC7-92AB-97296E2331B9}C:\program files\miranda im\miranda32.exe" = protocol=17 | dir=in | app=c:\program files\miranda im\miranda32.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam "{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu "{10E1E87C-656C-4D08-86D6-5443D28583BE}" = TrayApp "{1753255A-0AEB-4220-8C75-607B73F0C133}" = Copy "{22466889-7642-488d-AA0E-F619704CF7AB}" = DeviceDiscovery "{29FA38B4-0AE4-4D0D-8A51-6165BB990BB0}" = WebReg "{2A9F95AB-65A3-432c-8631-B8BC5BF7477A}" = The Battle for Middle-earth (tm) II "{2EFA4E4C-7B5F-48F7-A1C0-1AA882B7A9C3}" = HP Update "{2F28B3C9-2C89-4206-8B33-8ADC9577C49B}" = Scan "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile "{3EF79591-BF16-4CF8-8FF0-D8AD968228B1}" = Aliens vs. Predator 2 "{415CDA53-9100-476F-A7B2-476691E117C7}" = HP Smart Web Printing "{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD "{42DCB650-F003-4535-A5CD-32AD815CD2DD}" = Play withSIX "{459699C3-9430-4381-964B-4248D87B49F9}" = Apple Mobile Device Support "{46991620-ECC1-462B-88BF-5B91BF133E77}" = Oracle VM VirtualBox 4.1.16 "{4BA6784F-3B10-473A-B9F5-33A36AC354D5}" = Google SketchUp 8 "{543E938C-BDC4-4933-A612-01293996845F}" = UnloadSupport "{54B7A3C7-0940-4C16-A509-FC3C3758D22A}_is1" = Amnesia - The Dark Descent "{612B9183-67A9-4B44-9877-2F059E35B86A}" = Broadcom 440x 10/100 Integrated Controller "{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder "{681B698F-C997-42C3-B184-B489C6CA24C9}" = HPPhotoSmartDiscLabelContent1 "{698D7E61-E4BF-4CA6-8A09-CF6BDBFDEF65}" = Battlefield 1942 "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update "{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour "{81A6F461-0DBA-4F12-B56F-0E977EC10576}_is1" = PDF24 Creator 4.6.0 "{824D3839-DAA1-4315-A822-7AE3E620E528}" = VideoToolkit01 "{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007 "{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007 "{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007 "{90120000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2007 "{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007 "{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007 "{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007 "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007 "{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007 "{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007 "{90120000-0044-0407-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2007 "{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007 "{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007 "{90120000-00BA-0407-0000-0000000FF1CE}" = Microsoft Office Groove MUI (German) 2007 "{91B930B5-9281-4A6E-8E74-978247499AE7}" = DayZ Commander "{99AE7207-8612-4DBA-A8F8-BAE5C633390D}" = Star Wars Empire at War "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad "{A13E07E1-A423-44FB-9DEE-B24C75C1BAF2}" = WIDCOMM Bluetooth Software 6.0.1.3100 "{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio "{A6B90148-02C5-4fd3-8D7A-EF2386835CB9}" = F4100_Help "{A6C265BE-E2C1-483e-843D-6B4C1E912AE0}" = F4100 "{A80FA752-C491-4ED9-ABF0-4278563160B2}" = 32 Bit HP CIO Components Installer "{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder "{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.3) - Deutsch "{AEA07F97-9088-497c-8821-0F36BD5DC251}" = HPProductAssistant "{AF0CE7C0-A3E4-4D73-988B-B29187EC6E9A}" = QuickTime "{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan "{B0261E53-B6F1-474A-864B-E7C3CBF468E0}" = iTunes "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision" = NVIDIA 3D Vision Treiber 301.42 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Systemsteuerung 301.42 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Grafiktreiber 301.42 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB" = NVIDIA 3D Vision Controller-Treiber 301.42 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX-Systemsoftware 9.12.0213 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.8.15 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components "{B3276CB1-20B6-4AF9-AAEC-E72C83816495}" = IKEA Home Planner "{B4509BCE-7BAD-4a8c-B1AE-4D0CE7467C42}" = F4100_doccd "{B4F35A00-24FD-4fb3-BF5E-413D5423434D}" = DJ_AIO_Software_min "{B931FB80-537A-4600-00AD-AC5DEDB6C25B}" = The Lord of the Rings, The Rise of the Witch-king "{BCD6CD1A-0DBE-412E-9F25-3B500D1E6BA1}" = SolutionCenter "{C99C0593-3B48-41D9-B42F-6E035B320449}" = Broadcom Management Programs "{CA50045C-5119-48e7-9BA7-6B317379857A}" = DJ_AIO_Software "{CCE825DB-347A-4004-A186-5F4A6FDD8547}" = Apple Application Support "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{D0E39A1D-0CEE-4D85-B4A2-E3BE990D075E}" = Destination Component "{D79113E7-274C-470B-BD46-01B10219DF6A}" = HPPhotosmartEssential "{DA909E62-3B45-4BA1-8B58-FCAEBA4BCEC9}" = NVIDIA PhysX "{E2494AD8-314D-44F8-B39C-4358A60DC184}" = LogMeIn Hamachi "{E2662C24-B31E-4349-A084-32EB76E8B760}" = BufferChm "{E548726E-F4E8-459f-BAB8-45551BC071E9}" = DJ_AIO_ProductContext "{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox "{F72E2DDC-3DB8-4190-A21D-63883D955FE7}" = PSSWCORE "{FA8A44D7-3E8A-4034-9C4F-088FA6B72BC4}" = HP Deskjet All-In-One Software 9.0 "{FD8D8B04-BEAD-4A55-AA1D-62D2373E7DEA}" = Status "{FFD44E90-AEA4-4D25-AF53-5CE2723E88DA}" = MarketingReg "7-Zip" = 7-Zip 9.20 "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin "Age of Empires 2.0" = Microsoft Age of Empires II "BattlEye for A2" = BattlEye Uninstall "BattlEye for OA" = BattlEye for OA Uninstall "CCleaner" = CCleaner "ENTERPRISE" = Microsoft Office Enterprise 2007 "HP Imaging Device Functions" = HP Imaging Device Functions 9.0 "HP Photosmart Essential" = HP Photosmart Essential 3.5 "HP Solution Center & Imaging Support Tools" = HP Solution Center 9.0 "IrfanView" = IrfanView (remove only) "L4D2 RevEMU v2054+" = L4D2 RevEMU v2054+ "Left4Dead2-hohesC_is1" = Left 4 Dead 2 - 2.0.0.5 "LogMeIn Hamachi" = LogMeIn Hamachi "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.70.0.1100 "Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Miranda IM" = Miranda IM 0.10.8 "Mozilla Firefox 18.0 (x86 de)" = Mozilla Firefox 18.0 (x86 de) "MozillaMaintenanceService" = Mozilla Maintenance Service "NVIDIA StereoUSB Driver" = NVIDIA 3D Vision Controller Driver "NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver "StarCraft" = StarCraft "Steam App 10" = Counter-Strike "Steam App 1520" = DEFCON "Steam App 219540" = ARMA 2: Operation Arrowhead Beta "Steam App 24240" = PAYDAY: The Heist "Steam App 33910" = ARMA 2 "Steam App 33930" = ARMA 2: Operation Arrowhead "Steam App 550" = Left 4 Dead 2 "TeamSpeak 3 Client" = TeamSpeak 3 Client "TrueCrypt" = TrueCrypt "VirtualCloneDrive" = VirtualCloneDrive "VLC media player" = VLC media player 1.0.3 "Warcraft III" = Warcraft III "Winamp" = Winamp "Yawle_0.3b" = YAWLE 0.5b ========== HKEY_CURRENT_USER Uninstall List ========== [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "Warcraft III" = Warcraft III: All Products ========== Last 20 Event Log Errors ========== [ Application Events ] Error - 11.01.2013 14:16:47 | Computer Name = syd-PC | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: m->NextScheduledEvent 3136 Error - 11.01.2013 14:16:47 | Computer Name = syd-PC | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: m->NextScheduledSPRetry 3136 Error - 12.01.2013 08:49:12 | Computer Name = syd-PC | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: Continuously busy for more than a second Error - 12.01.2013 08:49:12 | Computer Name = syd-PC | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: m->NextScheduledEvent 999 Error - 12.01.2013 08:49:12 | Computer Name = syd-PC | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: m->NextScheduledSPRetry 999 Error - 12.01.2013 08:49:13 | Computer Name = syd-PC | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: Continuously busy for more than a second Error - 12.01.2013 08:49:13 | Computer Name = syd-PC | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: m->NextScheduledEvent 2060 Error - 12.01.2013 08:49:13 | Computer Name = syd-PC | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: m->NextScheduledSPRetry 2060 Error - 12.01.2013 15:30:56 | Computer Name = syd-PC | Source = Application Error | ID = 1000 Description = Fehlerhafte Anwendung arma2oa.exe, Version 1.62.100.544, Zeitstempel 0x50ec370b, fehlerhaftes Modul arma2oa.exe, Version 1.62.100.544, Zeitstempel 0x50ec370b, Ausnahmecode 0xc0000005, Fehleroffset 0x00444b9d, Prozess-ID 0x1518, Anwendungsstartzeit 01cdf0e0ce62bb90. Error - 12.01.2013 17:19:22 | Computer Name = syd-PC | Source = Application Error | ID = 1000 Description = Fehlerhafte Anwendung arma2oa.exe, Version 1.62.100.544, Zeitstempel 0x50ec370b, fehlerhaftes Modul BEClient.dll_unloaded, Version 0.0.0.0, Zeitstempel 0x5072f1a5, Ausnahmecode 0xc0000005, Fehleroffset 0x0bfa3250, Prozess-ID 0x9f8, Anwendungsstartzeit 01cdf0fe64885c70. [ OSession Events ] Error - 11.08.2012 08:42:02 | Computer Name = syd-PC | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 8369 seconds with 600 seconds of active time. This session ended with a crash. [ System Events ] Error - 12.01.2013 04:46:41 | Computer Name = syd-PC | Source = Service Control Manager | ID = 7000 Description = Error - 12.01.2013 10:53:32 | Computer Name = syd-PC | Source = BTHUSB | ID = 327697 Description = Der lokale Bluetooth-Adapter ist aus einem unbekannten Grund fehlgeschlagen und wird nicht verwendet. Der Treiber wurde entladen. Error - 13.01.2013 04:38:36 | Computer Name = syd-PC | Source = Service Control Manager | ID = 7000 Description = Error - 13.01.2013 10:04:55 | Computer Name = syd-PC | Source = BTHUSB | ID = 327697 Description = Der lokale Bluetooth-Adapter ist aus einem unbekannten Grund fehlgeschlagen und wird nicht verwendet. Der Treiber wurde entladen. Error - 13.01.2013 14:54:18 | Computer Name = syd-PC | Source = Service Control Manager | ID = 7000 Description = Error - 14.01.2013 09:38:10 | Computer Name = syd-PC | Source = Service Control Manager | ID = 7000 Description = Error - 15.01.2013 02:44:49 | Computer Name = syd-PC | Source = Service Control Manager | ID = 7000 Description = Error - 15.01.2013 10:15:11 | Computer Name = syd-PC | Source = Service Control Manager | ID = 7000 Description = Error - 15.01.2013 19:15:16 | Computer Name = syd-PC | Source = Service Control Manager | ID = 7000 Description = Error - 16.01.2013 08:22:25 | Computer Name = syd-PC | Source = Service Control Manager | ID = 7000 Description = < End of report > |
16.01.2013, 17:11 | #2 |
/// Malware-holic | PC mit ZeuS/ZBot infiziert? Logs liegen vor. hi
__________________warum hat dein Windows noch nie updates gesehen, keinerlei servicepacks. die aussage, es ist unwarscheinlich, ist zumindest sehr mutig anhand dieser Tatsachen. öffne mal MSE und poste alle Funde bitte
__________________ |
16.01.2013, 17:51 | #3 |
| PC mit ZeuS/ZBot infiziert? Logs liegen vor. zum Thema Windows:
__________________Vor geraumer Zeit hatte ich meinen Laptop formatiert, als ich dann im Anschluss die Updates installieren wollte kam es beim rebooten immer zu Problemen (weiß nicht mehr genau was das war, hatte direkt nen Bluescreen o.ä.) und ich konnte mich immer nur über eine Systemwiederherstellung retten. Deshalb habe ich das dann iwann gelassen. Abgesehen davon habe ich das Problem, dass wenn ich auf "Windows Update" gehe mir zwar x wichtige und y optionale Updates angezeigt werden, wenn ich dann aber auf zBsp "wichtige Updates" gehe zeigt er mir nicht an welche das sind, also ich kann sie nicht auswählen (siehe Anhang). Ich dachte aber eigtl die SP's hätte ich installiert. zum Thema "..ist unwahrscheinlich..": Naja, ich wage das zu behaupten, weil ich mir mal unglücklich einen Wurm eingefangen hatte und seitdem extrem vorsichtig unterwegs bin. zum Thema MSE: Musste das grad erstmal installieren. Die "schnelle Überprüfung" nach der Installation hat nichts gefunden! Die "vollständige Überprüfung" läuft noch. |
17.01.2013, 07:15 | #4 |
| PC mit ZeuS/ZBot infiziert? Logs liegen vor. Aber danke für den Hinweis bzgl. den SP's! Die "vollständige Überprüfung" ist jetzt auch abgeschlossen. Gefunden wurde eine potenzielle Bedrohung, siehe Anhang. Jedoch handelt es sich dabei um winscp und ich glaube, dass es nur wegen seiner Funktionsweise gelistet wird, das Programm an sich ist ja vertrauenswürdig. Aktion (Quarantäne / Zulassen / Entfernen ) habe ich noch keine ausgeführt. |
17.01.2013, 19:17 | #5 |
/// Malware-holic | PC mit ZeuS/ZBot infiziert? Logs liegen vor. hi poste die Meldung bitte als text evtl. hattest du damals vergessen, die aktuellen treiber zu instaliern, und es gab deswegen probleme
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
17.01.2013, 21:50 | #6 |
| PC mit ZeuS/ZBot infiziert? Logs liegen vor. Richtig als Log / Text kann ich das leider nicht posten, weil es mir auch nur so ausgegeben wird, wie auf dem screenshot. Das ist alles was ich machen kann: Code:
ATTFilter Kategorie: Adware Beschreibung: Dieses Programm zeigt potenziell unerwünschte Werbefenster und Popupwerbungen auf dem Computer an. Empfohlene Aktion: Lassen Sie dieses entdeckte Element nur zu, wenn Sie dem Programm oder dem Softwareherausgeber vertrauen. Elemente: containerfile:C:\Users\sydney\Downloads\Programme\PLUS\winscp429setup.exe file:C:\Users\sydney\Downloads\Programme\PLUS\winscp429setup.exe->(inno#000011) Abgesehen davon hat mir die Telekom in der Zwischenzeit die Verbindungsdaten ( IP / Zeit ) zugeschickt und aufgrund dessen kann ich ausschließen, dass mein Laptop mit ZeuS befallen ist. Habe auch schon rausgefunden welcher es letztendlich war. |
18.01.2013, 19:44 | #7 |
/// Malware-holic | PC mit ZeuS/ZBot infiziert? Logs liegen vor. hi so wie du die Meldung jetzt gepostet hast, wollte ich sie sehen, da ich ein Problem mit meinen Augen hab, und Screenies für mich ungünstig sind. sollen wir uns den betroffenen Laptop ansehen? instaliere bei deinem gerät alle Treiber und dann hohl dir erst servicepack 1 und dann 2.
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
19.01.2013, 01:40 | #8 |
| PC mit ZeuS/ZBot infiziert? Logs liegen vor. Hey, achso, alles klar. Nein danke, es ist nicht nötig sich den noch anzuschauen. Mein Bruder hat sich vor Ort schon um den betroffenen Laptop gekümmert. Ok werde ich machen! Wie gesagt, dachte SP1 & 2 hätte ich drauf gemacht. Danke nochmal für den Hinweis! Dann ist mir soweit bei meinem Anliegen geholfen Danke |
Themen zu PC mit ZeuS/ZBot infiziert? Logs liegen vor. |
32 bit, 7-zip, adobe, autorun, bho, bonjour, brief, defender, desktop, error, firefox, flash player, format, google, helper, home, infiziert?, install.exe, logfile, mozilla, nvidia update, registry, rundll, scan, security, sketchup, software, sttray.exe, svchost.exe, teamspeak, udp, usb, virtualbox, vista |