| |
| |||||||
Log-Analyse und Auswertung: GVU / Bundespolizeitrojaner (Skypevariante?); System Win7 32bit; Infektionszeit 09.03.13 23:05Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
10.03.2013, 15:52
| #1 |
 |  GVU / Bundespolizeitrojaner (Skypevariante?); System Win7 32bit; Infektionszeit 09.03.13 23:05 Hallo, mein Rechner wurde von einer Version befallen, auf deren Blockadebild GVU- und Bundespolizei-Logo vorhanden ist. Bezahloption ist neben Ukash auch Paysafe. Ich habe nachdem ich letztes Jahr bereits mal von der Version 2.07 befallen war, unter Verwendung eines 2.Benutzer folgende Schritte beim befallenen Benutzer durchgeführt: - Trojaner-exe (vermeintlich) gelöscht - keine .ink im Autostart gefunden Nach Neustart erschien kurz ein Auswahlfenster, in dem man eine Videoquelle angeben kann. Dann dauerte es etwas und der Blockadebildschirm war wieder da. - Suche nach Dateien zum fraglichen Zeitpunkt - löschen der Dateien skype.dat / skype.ini - löschen sämtlicher Dateien zum Zeitpunkt Danach hatte ich beim befallenen User wieder eingeschränkten Zugriff. Da es sich hierbei jedoch um einen reinen User fürs surfen handelte haben ich kurzer Hand den kompletten User gelöscht. Danach habe ich unter meinem Hauptuser folgendes durchgeführt: Avira Internet Security inkl. Bereinigung Scan mit Malewarebyte Scan mit OTL OTL.txt Code:
ATTFilter OTL logfile created on: 10.03.2013 13:11:02 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Matthias\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
3,00 Gb Total Physical Memory | 2,06 Gb Available Physical Memory | 68,84% Memory free
6,00 Gb Paging File | 4,81 Gb Available in Paging File | 80,13% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 111,69 Gb Total Space | 64,97 Gb Free Space | 58,17% Space Free | Partition Type: NTFS
Drive E: | 1863,01 Gb Total Space | 964,42 Gb Free Space | 51,77% Space Free | Partition Type: NTFS
Drive V: | 0,00 Mb Total Space | 0,00 Mb Free Space | 100,00% Space Free | Partition Type: UNKNOWN
Drive Z: | 1863,01 Gb Total Space | 108,40 Gb Free Space | 5,82% Space Free | Partition Type: NTFS
Computer Name: MATTHIAS-PC | User Name: Matthias | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2013.03.10 10:29:54 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Matthias\Desktop\OTL(2).exe
PRC - [2013.03.10 08:26:49 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\sched.exe
PRC - [2013.03.10 08:26:23 | 000,565,472 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avwebgrd.exe
PRC - [2013.03.10 08:26:22 | 000,079,584 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe
PRC - [2013.03.10 08:26:20 | 000,400,608 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avmailc.exe
PRC - [2013.03.10 08:26:19 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe
PRC - [2013.03.10 08:26:18 | 000,657,120 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avfwsvc.exe
PRC - [2013.03.10 08:26:18 | 000,385,248 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe
PRC - [2013.01.28 13:08:14 | 000,059,720 | ---- | M] (Apple Inc.) -- C:\Programme\Common Files\Apple\Apple Application Support\APSDaemon.exe
PRC - [2012.12.18 15:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012.12.17 17:14:14 | 000,059,872 | ---- | M] (Apple Inc.) -- C:\Programme\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
PRC - [2012.12.17 16:48:14 | 000,059,872 | ---- | M] (Apple Inc.) -- C:\Programme\Common Files\Apple\Internet Services\iCloudServices.exe
PRC - [2012.12.03 13:09:36 | 001,588,280 | ---- | M] () -- C:\Programme\SEH Computertechnik GmbH\SEH UTN Manager\utnservice.exe
PRC - [2012.11.23 03:48:41 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2012.09.02 17:25:42 | 003,491,792 | ---- | M] (Acronis) -- C:\Programme\Common Files\Acronis\CDP\afcdpsrv.exe
PRC - [2012.06.28 19:49:22 | 001,173,712 | ---- | M] (Acronis) -- C:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe
PRC - [2012.06.28 19:48:10 | 005,924,712 | ---- | M] (Acronis) -- C:\Programme\Common Files\Acronis\SyncAgent\syncagentsrv.exe
PRC - [2012.06.28 19:47:22 | 000,821,584 | ---- | M] (Acronis) -- C:\Programme\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2012.06.28 19:47:12 | 000,403,688 | ---- | M] (Acronis) -- C:\Programme\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2012.06.28 19:46:30 | 005,993,216 | ---- | M] (Acronis) -- C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe
PRC - [2012.05.29 12:09:52 | 001,528,672 | ---- | M] (TuneUp Software) -- C:\Programme\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe
PRC - [2012.05.29 12:09:52 | 001,220,960 | ---- | M] (TuneUp Software) -- C:\Programme\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe
PRC - [2012.01.20 20:03:48 | 000,719,672 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Office\Office14\MSOSYNC.EXE
PRC - [2011.11.04 14:40:06 | 000,687,400 | ---- | M] (Nero AG) -- C:\Programme\Nero\Update\NASvc.exe
PRC - [2011.09.16 00:16:48 | 000,025,824 | ---- | M] (Memeo) -- C:\Programme\Memeo\AutoBackup\MemeoBackgroundService.exe
PRC - [2011.09.16 00:16:44 | 000,322,784 | ---- | M] () -- C:\Programme\Memeo\AutoBackup\InstantBackup.exe
PRC - [2011.08.03 12:50:00 | 002,255,464 | ---- | M] (NVIDIA Corporation) -- C:\Programme\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
PRC - [2011.08.03 12:50:00 | 000,812,648 | ---- | M] (NVIDIA Corporation) -- C:\Programme\NVIDIA Corporation\Display\nvxdsync.exe
PRC - [2011.08.03 12:50:00 | 000,373,864 | ---- | M] (NVIDIA Corporation) -- C:\Programme\NVIDIA Corporation\Display\nvtray.exe
PRC - [2011.02.25 06:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010.12.13 14:37:46 | 000,135,536 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft LifeCam\MSCamS32.exe
PRC - [2010.11.20 13:17:41 | 001,174,016 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Sidebar\sidebar.exe
PRC - [2010.03.15 10:58:30 | 000,172,544 | ---- | M] (Panasonic Corporation) -- C:\Programme\Common Files\Panasonic\PHOTOfunSTUDIO AutoStart\AutoStartupService.exe
PRC - [2007.06.15 12:57:42 | 000,145,504 | ---- | M] (B.H.A Corporation) -- C:\Windows\System32\bgsvcgen.exe
PRC - [2001.11.12 14:31:48 | 000,020,480 | ---- | M] (X10) -- C:\Programme\Common Files\X10\Common\X10nets.exe
========== Modules (No Company Name) ==========
MOD - [2013.02.15 03:27:57 | 001,670,144 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7366a39c36523a084bc11c230929ff92\Microsoft.VisualBasic.ni.dll
MOD - [2013.02.15 03:22:16 | 000,212,992 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\7ff638de44686eab4afaa8b3c8a9cfca\System.ServiceProcess.ni.dll
MOD - [2013.02.15 03:22:09 | 011,833,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\5ecf01964c70e453d71e5d7653912ff9\System.Web.ni.dll
MOD - [2013.02.15 03:22:00 | 012,436,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\cb562e2e4f74ae607f1186f6ec50cec7\System.Windows.Forms.ni.dll
MOD - [2013.01.10 03:26:17 | 001,051,136 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\302207b4fa3083899fd8ab4db98cecc5\System.Management.ni.dll
MOD - [2013.01.10 03:26:14 | 000,689,664 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlServ#\61fe2f344612f7b3b87f630e89b261e6\System.Data.SqlServerCe.ni.dll
MOD - [2013.01.10 03:21:47 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\90b89f6e8032310e9ac72a309fd49e83\System.Runtime.Remoting.ni.dll
MOD - [2013.01.10 03:21:46 | 000,628,224 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\01c6cb58745f397c9b7ccf3ab7bfc9cd\System.EnterpriseServices.ni.dll
MOD - [2013.01.10 03:21:46 | 000,627,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\536d704e93ffec9b54e4a0312fb5b996\System.Transactions.ni.dll
MOD - [2013.01.10 03:21:45 | 006,610,944 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\bd5f32f9081b6307cadda7422145553e\System.Data.ni.dll
MOD - [2013.01.10 03:21:17 | 001,592,832 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\eead6629e384a5b69f9ae35284b7eeed\System.Drawing.ni.dll
MOD - [2013.01.10 03:21:00 | 005,453,312 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\f687c43e9fdec031988b33ae722c4613\System.Xml.ni.dll
MOD - [2013.01.10 03:20:57 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\195a77fcc6206f8bb35d419ff2cf0d72\System.Configuration.ni.dll
MOD - [2013.01.10 03:20:56 | 007,989,760 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\369f8bdca364e2b4936d18dea582912c\System.ni.dll
MOD - [2013.01.10 03:20:49 | 011,493,376 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7150b9136fad5b79e88f6c7f9d3d2c39\mscorlib.ni.dll
MOD - [2012.06.28 19:46:10 | 013,005,184 | ---- | M] () -- C:\Programme\Acronis\TrueImageHome\Common\ti_managers.dll
MOD - [2012.06.28 16:34:28 | 000,018,816 | ---- | M] () -- C:\Programme\Acronis\TrueImageHome\ti_managers_proxy_stub.dll
MOD - [2011.11.01 23:26:32 | 000,087,912 | ---- | M] () -- C:\Programme\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011.11.01 23:26:12 | 001,242,472 | ---- | M] () -- C:\Programme\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011.09.16 00:18:06 | 000,028,672 | ---- | M] () -- C:\Programme\Memeo\AutoBackup\de-DE\InstantBackup.resources.dll
MOD - [2011.09.16 00:17:06 | 002,888,416 | ---- | M] () -- C:\Programme\Memeo\AutoBackup\Memeo.Client.UI.dll
MOD - [2011.09.16 00:17:04 | 000,025,824 | ---- | M] () -- C:\Programme\Memeo\AutoBackup\Memeo.Client.DriveDetection.dll
MOD - [2011.09.16 00:16:44 | 000,322,784 | ---- | M] () -- C:\Programme\Memeo\AutoBackup\InstantBackup.exe
MOD - [2011.03.17 00:11:16 | 004,297,568 | ---- | M] () -- C:\Programme\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
MOD - [2010.11.13 01:02:21 | 000,315,392 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_de_b77a5c561934e089\mscorlib.resources.dll
MOD - [2010.11.05 02:58:05 | 002,927,616 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2010.04.05 19:52:36 | 000,504,293 | ---- | M] () -- C:\Programme\Memeo\AutoBackup\sqlite3.dll
MOD - [2010.04.05 19:52:18 | 000,053,248 | ---- | M] () -- C:\Programme\Memeo\AutoBackup\Mono.Nat.dll
MOD - [2009.08.16 17:06:02 | 000,141,312 | ---- | M] () -- C:\Programme\WinRAR\RarExt.dll
MOD - [2009.06.10 22:23:19 | 000,261,632 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
========== Services (SafeList) ==========
SRV - [2013.03.10 08:26:49 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2013.03.10 08:26:23 | 000,565,472 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avwebgrd.exe -- (AntiVirWebService)
SRV - [2013.03.10 08:26:20 | 000,400,608 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avmailc.exe -- (AntiVirMailService)
SRV - [2013.03.10 08:26:19 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2013.03.10 08:26:18 | 000,657,120 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avfwsvc.exe -- (AntiVirFirewallService)
SRV - [2013.03.09 13:36:30 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013.02.27 09:28:39 | 000,251,248 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013.01.08 15:19:46 | 000,161,536 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Programme\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012.12.18 15:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012.12.03 13:09:36 | 001,588,280 | ---- | M] () [Auto | Running] -- C:\Programme\SEH Computertechnik GmbH\SEH UTN Manager\utnservice.exe -- (SEH UTN Service)
SRV - [2012.09.20 13:28:48 | 030,785,672 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)
SRV - [2012.09.02 17:25:42 | 003,491,792 | ---- | M] (Acronis) [Auto | Running] -- C:\Programme\Common Files\Acronis\CDP\afcdpsrv.exe -- (afcdpsrv)
SRV - [2012.06.28 19:48:10 | 005,924,712 | ---- | M] (Acronis) [Auto | Running] -- C:\Programme\Common Files\Acronis\SyncAgent\syncagentsrv.exe -- (syncagentsrv)
SRV - [2012.06.28 19:47:22 | 000,821,584 | ---- | M] (Acronis) [Auto | Running] -- C:\Programme\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2012.05.29 12:09:52 | 001,528,672 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\Programme\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe -- (TuneUp.UtilitiesSvc)
SRV - [2012.05.29 12:09:50 | 000,029,024 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\Windows\System32\uxtuneup.dll -- (UxTuneUp)
SRV - [2011.11.04 14:40:06 | 000,687,400 | ---- | M] (Nero AG) [Auto | Running] -- C:\Programme\Nero\Update\NASvc.exe -- (NAUpdate)
SRV - [2011.09.16 00:16:48 | 000,025,824 | ---- | M] (Memeo) [Auto | Running] -- C:\Programme\Memeo\AutoBackup\MemeoBackgroundService.exe -- (MemeoBackgroundService)
SRV - [2011.08.03 12:50:00 | 002,255,464 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Programme\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
SRV - [2010.12.13 14:37:46 | 000,135,536 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)
SRV - [2010.11.20 13:17:56 | 001,121,792 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc)
SRV - [2010.01.09 21:37:50 | 004,640,000 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE -- (osppsvc)
SRV - [2010.01.09 21:18:00 | 000,149,352 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose)
SRV - [2009.08.10 15:59:50 | 000,178,720 | ---- | M] () [Disabled | Stopped] -- C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe -- (nSvcIp)
SRV - [2009.08.10 15:59:48 | 000,387,616 | ---- | M] () [Disabled | Stopped] -- C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe -- (ForceWare Intelligent Application Manager (IAM)
SRV - [2009.07.14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009.07.14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009.02.03 14:53:00 | 001,155,072 | ---- | M] (MAGIX AG) [Disabled | Stopped] -- C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe -- (Fabs)
SRV - [2008.08.07 10:10:02 | 003,276,800 | ---- | M] (MAGIX®) [Disabled | Stopped] -- C:\Programme\Common Files\MAGIX Services\Database\bin\fbserver.exe -- (FirebirdServerMAGIXInstance)
SRV - [2007.06.15 12:57:42 | 000,145,504 | ---- | M] (B.H.A Corporation) [Auto | Running] -- C:\Windows\System32\bgsvcgen.exe -- (bgsvcgen)
SRV - [2007.06.05 13:20:32 | 000,177,704 | ---- | M] () [Disabled | Stopped] -- C:\Windows\System32\PSIService.exe -- (ProtexisLicensing)
SRV - [2001.11.12 14:31:48 | 000,020,480 | ---- | M] (X10) [Auto | Running] -- C:\Programme\Common Files\X10\Common\X10nets.exe -- (x10nets)
========== Driver Services (SafeList) ==========
DRV - File not found [Recognizer | On_Demand | Unknown] -- -- (Paiihevca)
DRV - [2013.03.10 08:27:07 | 000,134,336 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2013.03.10 08:27:07 | 000,036,552 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2013.03.10 08:27:07 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2013.03.10 08:27:06 | 000,113,024 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avfwot.sys -- (avfwot)
DRV - [2013.03.10 08:27:06 | 000,092,448 | ---- | M] (Avira GmbH) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\avfwim.sys -- (avfwim)
DRV - [2013.03.10 08:27:06 | 000,083,944 | ---- | M] (Avira Operations GmbH & Co. KG) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2012.12.03 13:09:58 | 000,042,552 | ---- | M] (SEH Computertechnik GmbH) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\sehutn.sys -- (sehutn)
DRV - [2012.09.02 17:25:43 | 000,234,752 | ---- | M] (Acronis) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\afcdp.sys -- (afcdp)
DRV - [2012.09.02 17:25:41 | 000,775,232 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\tdrpman.sys -- (tdrpman)
DRV - [2012.09.02 17:25:37 | 000,614,592 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\timntr.sys -- (timounter)
DRV - [2012.09.02 17:25:36 | 000,126,880 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vididr.sys -- (vididr)
DRV - [2012.09.02 17:25:35 | 000,086,496 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vsflt67.sys -- (vidsflt67)
DRV - [2012.09.02 17:25:34 | 000,177,600 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\snapman.sys -- (snapman)
DRV - [2012.09.02 17:25:34 | 000,080,416 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\fltsrv.sys -- (fltsrv)
DRV - [2012.08.23 15:44:32 | 000,014,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV - [2012.08.23 15:40:25 | 000,049,664 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2011.12.12 19:31:38 | 000,010,064 | ---- | M] (TuneUp Software) [Kernel | On_Demand | Running] -- C:\Programme\TuneUp Utilities 2012\TuneUpUtilitiesDriver32.sys -- (TuneUpUtilitiesDrv)
DRV - [2011.08.03 12:50:00 | 010,304,104 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2011.07.20 01:54:06 | 000,047,104 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\iBtFltCoex.sys -- (iBtFltCoex)
DRV - [2011.07.19 22:12:22 | 000,225,280 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\btmhsf.sys -- (btmhsf)
DRV - [2011.07.08 00:21:28 | 000,139,880 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvhda32v.sys -- (NVHDA)
DRV - [2011.02.11 01:35:44 | 000,728,064 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RTL8192cu.sys -- (RTL8192cu)
DRV - [2010.11.20 10:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010.06.09 13:00:48 | 001,554,472 | ---- | M] (Trident Microsystems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\TrdCap.sys -- (TrdCap)
DRV - [2010.02.06 15:49:00 | 000,597,536 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RTL8192su.sys -- (RTL8192su)
DRV - [2009.08.04 16:43:40 | 000,213,024 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2009.07.30 16:12:54 | 000,287,392 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmf6232.sys -- (NVNET)
DRV - [2009.07.13 23:02:52 | 000,347,264 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvm62x32.sys -- (NVENETFD)
DRV - [2009.06.28 23:36:36 | 000,017,920 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2009.05.13 13:47:30 | 000,027,160 | ---- | M] (X10 Wireless Technology, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\x10ufx2.sys -- (XUIF)
DRV - [2009.05.13 13:26:26 | 000,013,720 | ---- | M] (X10 Wireless Technology, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\x10hid.sys -- (X10Hid)
DRV - [2003.04.25 10:11:10 | 000,099,968 | ---- | M] (ATMEL) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vnetusbr.sys -- (D-Link FVNETusb (AR)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2136012392-1314403839-967441070-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-2136012392-1314403839-967441070-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE
IE - HKU\S-1-5-21-2136012392-1314403839-967441070-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 70 5C 6C BF 23 0A CE 01 [binary data]
IE - HKU\S-1-5-21-2136012392-1314403839-967441070-1001\..\SearchScopes,DefaultScope = {78B3DE7F-5FD7-42E9-AA71-389C717A631F}
IE - HKU\S-1-5-21-2136012392-1314403839-967441070-1001\..\SearchScopes\{78B3DE7F-5FD7-42E9-AA71-389C717A631F}: "URL" = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
IE - HKU\S-1-5-21-2136012392-1314403839-967441070-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2136012392-1314403839-967441070-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-2136012392-1314403839-967441070-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKU\S-1-5-21-2136012392-1314403839-967441070-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = A0 43 87 C5 BB BD CC 01 [binary data]
IE - HKU\S-1-5-21-2136012392-1314403839-967441070-1003\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-21-2136012392-1314403839-967441070-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ==========
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:19.0.2
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_6_602_171.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw_1166636.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Nero.com/KM: C:\PROGRA~1\COMMON~1\Nero\BROWSE~1\NPBROW~1.DLL (Nero AG)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=1.1.11: C:\Program Files\VideoLAN\VLC\npvlc.dll (the VideoLAN Team)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 19.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013.03.09 13:36:31 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 19.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013.03.09 13:36:28 | 000,000,000 | ---D | M]
[2011.12.29 10:21:53 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Matthias\AppData\Roaming\mozilla\Extensions
[2013.02.14 19:48:12 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Matthias\AppData\Roaming\mozilla\Firefox\Profiles\nxug5y1n.default\extensions
[2013.02.14 19:48:12 | 000,817,280 | ---- | M] () (No name found) -- C:\Users\Matthias\AppData\Roaming\mozilla\firefox\profiles\nxug5y1n.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2013.03.09 13:36:28 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions
[2013.03.09 13:36:28 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Programme\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2013.03.09 13:36:31 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2009.12.17 00:03:36 | 000,063,488 | ---- | M] (Nullsoft) -- C:\Program Files\mozilla firefox\plugins\npwachk.dll
[2012.08.24 15:00:03 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.09.08 20:22:53 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012.08.24 15:00:03 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2012.08.24 15:00:03 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.08.24 15:00:03 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.08.24 15:00:03 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
O1 HOSTS File: ([2009.06.10 22:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programme\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Programme\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [BCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [Corel File Shell Monitor] C:\Programme\Corel\Corel MediaOne\CorelIOMonitor.exe ()
O4 - HKLM..\Run: [LifeCam] C:\Program Files\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Memeo Instant Backup] C:\Program Files\Memeo\AutoBackup\MemeoLauncher2.exe (Memeo Inc.)
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKU\S-1-5-21-2136012392-1314403839-967441070-1001..\Run: [ApplePhotoStreams] C:\Programme\Common Files\Apple\Internet Services\ApplePhotoStreams.exe (Apple Inc.)
O4 - HKU\S-1-5-21-2136012392-1314403839-967441070-1001..\Run: [iCloudServices] C:\Programme\Common Files\Apple\Internet Services\iCloudServices.exe (Apple Inc.)
O4 - HKU\S-1-5-21-2136012392-1314403839-967441070-1001..\Run: [OfficeSyncProcess] C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O8 - Extra context menu item: An OneNote s&enden - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O8 - Extra context menu item: Nach Microsoft E&xcel exportieren - C:\Programme\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programme\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Verknüpfte &OneNote-Notizen - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Programme\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000048 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O13 - gopher Prefix: missing
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{30757C13-6560-4B6E-A938-4FC7110C6322}: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Filter\text/xml {807573E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (systempropertiesperformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Programme\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{4c3b164b-679b-11e2-bbf7-0015832dddf5}\Shell - "" = AutoRun
O33 - MountPoints2\{4c3b164b-679b-11e2-bbf7-0015832dddf5}\Shell\AutoRun\command - "" = G:\HTC_Sync_Manager_PC.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
========== Files/Folders - Created Within 30 Days ==========
[2013.03.10 10:29:53 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Matthias\Desktop\OTL(2).exe
[2013.03.10 10:22:46 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Matthias\Desktop\OTL(1).exe
[2013.03.10 08:33:15 | 000,000,000 | ---D | C] -- C:\Users\Matthias\AppData\Roaming\Avira
[2013.03.10 08:32:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
[2013.03.10 08:32:17 | 000,134,336 | ---- | C] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avipbb.sys
[2013.03.10 08:32:17 | 000,113,024 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avfwot.sys
[2013.03.10 08:32:17 | 000,092,448 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avfwim.sys
[2013.03.10 08:32:17 | 000,083,944 | ---- | C] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avgntflt.sys
[2013.03.10 08:32:17 | 000,036,552 | ---- | C] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avkmgr.sys
[2013.03.10 08:32:17 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys
[2013.03.10 08:32:16 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2013.03.09 23:55:16 | 010,063,000 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Matthias\Desktop\mbam-setup.exe
[2013.03.09 13:36:28 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013.03.01 20:44:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth
[2013.02.26 21:04:08 | 000,000,000 | ---D | C] -- C:\Users\Matthias\MEDION NAS TOOL
[2013.02.26 21:01:37 | 000,000,000 | ---D | C] -- C:\Users\Matthias\AppData\Roaming\Memeo
[2013.02.26 21:01:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MEDION
[2013.02.26 21:01:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Memeo
[2013.02.26 21:01:18 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Memeo
[2013.02.26 21:01:14 | 000,000,000 | ---D | C] -- C:\Program Files\Memeo
[2013.02.26 21:00:14 | 000,000,000 | ---D | C] -- C:\Program Files\MEDION
[2013.02.24 17:53:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2013.02.24 17:53:24 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2013.02.21 22:29:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2013.02.21 22:29:07 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2013.02.21 22:29:06 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2013.02.21 22:29:06 | 000,000,000 | ---D | C] -- C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
========== Files - Modified Within 30 Days ==========
[2013.03.10 13:09:51 | 000,000,000 | ---- | M] () -- C:\Users\Matthias\defogger_reenable
[2013.03.10 12:57:50 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013.03.10 12:43:00 | 000,001,102 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013.03.10 12:31:32 | 000,009,888 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013.03.10 12:31:32 | 000,009,888 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013.03.10 12:28:24 | 000,671,812 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2013.03.10 12:28:24 | 000,622,798 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013.03.10 12:28:24 | 000,135,160 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2013.03.10 12:28:24 | 000,110,926 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013.03.10 12:28:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013.03.10 12:24:11 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013.03.10 12:23:59 | 2415,370,240 | -HS- | M] () -- C:\hiberfil.sys
[2013.03.10 10:30:30 | 000,377,856 | ---- | M] () -- C:\Users\Matthias\Desktop\gmer_2.1.19155.exe
[2013.03.10 10:29:54 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Matthias\Desktop\OTL(2).exe
[2013.03.10 10:29:42 | 000,050,477 | ---- | M] () -- C:\Users\Matthias\Desktop\Defogger.exe
[2013.03.10 10:22:35 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Matthias\Desktop\OTL(1).exe
[2013.03.10 08:27:07 | 000,134,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avipbb.sys
[2013.03.10 08:27:07 | 000,036,552 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avkmgr.sys
[2013.03.10 08:27:07 | 000,028,520 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys
[2013.03.10 08:27:06 | 000,113,024 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avfwot.sys
[2013.03.10 08:27:06 | 000,092,448 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avfwim.sys
[2013.03.10 08:27:06 | 000,083,944 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Windows\System32\drivers\avgntflt.sys
[2013.03.09 23:54:52 | 010,063,000 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Matthias\Desktop\mbam-setup.exe
[2013.03.09 23:32:17 | 301,768,704 | ---- | M] () -- C:\Users\Matthias\Desktop\kav_rescue_10.iso
[2013.03.09 15:00:17 | 000,000,450 | ---- | M] () -- C:\Windows\tasks\Intel_C_CVPR134604BU120LGN.job
[2013.02.26 21:01:37 | 000,002,086 | ---- | M] () -- C:\Users\Public\Desktop\MEDION NAS TOOL.lnk
[2013.02.26 21:01:20 | 000,001,119 | ---- | M] () -- C:\Users\Public\Desktop\Memeo Instant Backup.lnk
[2013.02.24 17:53:24 | 000,002,505 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
[2013.02.21 22:29:19 | 000,001,753 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2013.02.15 03:21:15 | 000,832,168 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
========== Files Created - No Company Name ==========
[2013.03.10 13:09:51 | 000,000,000 | ---- | C] () -- C:\Users\Matthias\defogger_reenable
[2013.03.10 10:30:30 | 000,377,856 | ---- | C] () -- C:\Users\Matthias\Desktop\gmer_2.1.19155.exe
[2013.03.10 10:29:41 | 000,050,477 | ---- | C] () -- C:\Users\Matthias\Desktop\Defogger.exe
[2013.03.09 23:25:00 | 301,768,704 | ---- | C] () -- C:\Users\Matthias\Desktop\kav_rescue_10.iso
[2013.02.26 21:01:37 | 000,002,086 | ---- | C] () -- C:\Users\Public\Desktop\MEDION NAS TOOL.lnk
[2013.02.26 21:01:20 | 000,001,119 | ---- | C] () -- C:\Users\Public\Desktop\Memeo Instant Backup.lnk
[2013.02.21 22:29:19 | 000,001,753 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2013.01.21 21:33:16 | 000,001,077 | ---- | C] () -- C:\Windows\cdplayer.ini
[2012.10.11 02:19:19 | 000,832,168 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2012.01.02 13:32:30 | 000,002,828 | -HS- | C] () -- C:\Windows\System32\KGyGaAvL.sys
[2012.01.02 13:32:30 | 000,000,008 | RHS- | C] () -- C:\Windows\System32\DF38B70230.sys
[2012.01.02 13:04:04 | 000,120,200 | ---- | C] () -- C:\Windows\System32\DLLDEV32i.dll
[2012.01.02 10:07:33 | 000,111,932 | ---- | C] () -- C:\Windows\System32\EPPICPrinterDB.dat
[2012.01.02 10:07:33 | 000,031,053 | ---- | C] () -- C:\Windows\System32\EPPICPattern131.dat
[2012.01.02 10:07:33 | 000,027,417 | ---- | C] () -- C:\Windows\System32\EPPICPattern121.dat
[2012.01.02 10:07:33 | 000,026,154 | ---- | C] () -- C:\Windows\System32\EPPICPattern1.dat
[2012.01.02 10:07:33 | 000,024,903 | ---- | C] () -- C:\Windows\System32\EPPICPattern3.dat
[2012.01.02 10:07:33 | 000,021,390 | ---- | C] () -- C:\Windows\System32\EPPICPattern5.dat
[2012.01.02 10:07:33 | 000,020,148 | ---- | C] () -- C:\Windows\System32\EPPICPattern2.dat
[2012.01.02 10:07:33 | 000,011,811 | ---- | C] () -- C:\Windows\System32\EPPICPattern4.dat
[2012.01.02 10:07:33 | 000,004,943 | ---- | C] () -- C:\Windows\System32\EPPICPattern6.dat
[2012.01.02 10:07:33 | 000,001,146 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_DU.dat
[2012.01.02 10:07:33 | 000,001,139 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_PT.dat
[2012.01.02 10:07:33 | 000,001,139 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_BP.dat
[2012.01.02 10:07:33 | 000,001,136 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_ES.dat
[2012.01.02 10:07:33 | 000,001,129 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_FR.dat
[2012.01.02 10:07:33 | 000,001,129 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_CF.dat
[2012.01.02 10:07:33 | 000,001,120 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_IT.dat
[2012.01.02 10:07:33 | 000,001,107 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_GE.dat
[2012.01.02 10:07:33 | 000,001,104 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_EN.dat
[2012.01.02 10:07:33 | 000,000,097 | ---- | C] () -- C:\Windows\System32\PICSDK.ini
[2011.12.30 17:53:36 | 000,650,752 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2011.12.30 17:53:36 | 000,240,640 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2011.12.30 17:51:56 | 000,001,534 | ---- | C] () -- C:\ProgramData\ss.ini
[2011.12.30 16:45:38 | 000,001,285 | ---- | C] () -- C:\Users\Matthias\InterCon-NetTool.ini
[2011.12.18 21:36:35 | 000,127,184 | ---- | C] () -- C:\Windows\Unwise.exe
[2011.12.18 21:36:34 | 000,149,504 | ---- | C] () -- C:\Windows\unwise32_setup.exe
[2011.12.18 21:00:47 | 000,006,136 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
========== ZeroAccess Check ==========
[2009.07.14 05:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 05:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.20 13:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009.07.14 02:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
========== LOP Check ==========
[2012.09.02 17:25:43 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\328A4CAB-EC49-48FC-8749-ABE8159A4DCD
[2012.01.04 10:33:20 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\Acronis
[2011.12.30 17:35:15 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\Canon
[2011.12.30 21:11:32 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\Haenlein-Software
[2013.03.10 01:37:39 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\Ibyl
[2011.12.30 20:55:12 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\IrfanView
[2013.01.12 07:35:47 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\Luqiy
[2012.01.02 13:06:38 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\MAGIX
[2013.02.26 21:01:37 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\Memeo
[2011.12.22 21:51:24 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\OpenCandy
[2013.01.12 07:35:47 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\Rifae
[2011.12.31 12:45:03 | 000,000,000 | ---D | M] -- C:\Users\Matthias\AppData\Roaming\TuneUp Software
[2013.03.10 12:58:24 | 000,000,000 | ---D | M] -- C:\Users\Surfen II\AppData\Roaming\Memeo
[2013.03.10 13:02:51 | 000,000,000 | ---D | M] -- C:\Users\Surfen II\AppData\Roaming\TuneUp Software
[2012.09.02 17:00:23 | 000,000,000 | ---D | M] -- C:\Users\Susu\AppData\Roaming\Acronis
[2012.04.05 18:18:40 | 000,000,000 | ---D | M] -- C:\Users\Susu\AppData\Roaming\Canon
[2013.02.27 08:44:08 | 000,000,000 | ---D | M] -- C:\Users\Susu\AppData\Roaming\Memeo
[2011.12.31 18:44:03 | 000,000,000 | ---D | M] -- C:\Users\Susu\AppData\Roaming\TuneUp Software
========== Purity Check ==========
< End of report >
Code:
ATTFilter OTL Extras logfile created on: 10.03.2013 13:11:03 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Matthias\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
3,00 Gb Total Physical Memory | 2,06 Gb Available Physical Memory | 68,84% Memory free
6,00 Gb Paging File | 4,81 Gb Available in Paging File | 80,13% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 111,69 Gb Total Space | 64,97 Gb Free Space | 58,17% Space Free | Partition Type: NTFS
Drive E: | 1863,01 Gb Total Space | 964,42 Gb Free Space | 51,77% Space Free | Partition Type: NTFS
Drive V: | 0,00 Mb Total Space | 0,00 Mb Free Space | 100,00% Space Free | Partition Type: UNKNOWN
Drive Z: | 1863,01 Gb Total Space | 108,40 Gb Free Space | 5,82% Space Free | Partition Type: NTFS
Computer Name: MATTHIAS-PC | User Name: Matthias | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
[HKEY_USERS\S-1-5-21-2136012392-1314403839-967441070-1001\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [CEWE FOTOSCHAU] -- "C:\Program Files\dm\dm-Fotowelt\CEWE FOTOSCHAU.exe" -d "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [dm-Fotowelt] -- "C:\Program Files\dm\dm-Fotowelt\dm-Fotowelt.exe" "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{012F5876-6340-4AF0-A960-65893CB7C697}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{11FD5DB3-9BAF-469B-A97E-A76AA7D7F27D}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{145E8013-B05A-40B9-A683-51A090BCF556}" = rport=139 | protocol=6 | dir=out | app=system |
"{3B3D43F2-3A13-4CB0-ABC7-E551C2226AEC}" = lport=137 | protocol=17 | dir=in | app=system |
"{53169140-2AD5-4B6A-8F83-21606215591F}" = lport=445 | protocol=6 | dir=in | app=system |
"{5A6C736D-D0B7-4392-AE03-693A8A6B7F0C}" = rport=445 | protocol=6 | dir=out | app=system |
"{61AC5E4A-F131-4927-84D5-F2E64B68BFF0}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{70384BA5-5C52-48D7-AE92-DC5AEDBCA5B7}" = rport=138 | protocol=17 | dir=out | app=system |
"{9BCC93A7-FB58-479E-B286-245BF650D3C9}" = rport=137 | protocol=17 | dir=out | app=system |
"{A0942FE7-CA85-4D7F-BCA3-45187709DDA7}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{A283ECCB-7049-4504-813F-4054BAE6C46A}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{ABC5C753-256B-4579-B76B-701A51800F72}" = lport=139 | protocol=6 | dir=in | app=system |
"{BEB27A48-D661-4E8B-B41C-EA733E7BC329}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office14\outlook.exe |
"{D37235E0-9626-446C-9FDD-042CC6C1E53E}" = lport=138 | protocol=17 | dir=in | app=system |
"{DD27A23B-8878-4A3F-B8E9-8FA358B742DF}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01B822A4-6AD3-4F71-A500-008458A435AB}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{0884757A-63B6-40E3-86D6-8477A1FFD087}" = protocol=17 | dir=in | app=c:\program files\seh computertechnik gmbh\seh utn manager\utnmanager.exe |
"{0D819C40-E54F-497D-85D0-CD2B86554713}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{10A2FF7F-BE97-4FB6-87C8-D626FB1DE20E}" = protocol=6 | dir=in | app=c:\program files\seh computertechnik gmbh\seh utn manager\utnmanager.exe |
"{13C0BFB5-BD33-479F-A3D6-4D2EFB4A69A3}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office14\onenote.exe |
"{15C5E4D2-2748-4E20-AA0C-A03C976B2F8F}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{304404F7-54B5-40EB-B4D7-497497DBA205}" = protocol=6 | dir=in | app=c:\program files\seh computertechnik gmbh\seh utn manager\utnservice.exe |
"{30DB9C28-EE89-414E-9F60-977509CCDF35}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office14\groove.exe |
"{4828DEA3-9AC2-446D-A41A-5026114781E2}" = protocol=6 | dir=in | app=c:\program files\microsoft lifecam\lifeexp.exe |
"{4A4BAC61-D6FC-4786-B269-EF08FB7642AD}" = dir=in | app=c:\program files\itunes\itunes.exe |
"{57C21E1E-C3BB-46E4-82DB-7261F6C442C5}" = protocol=6 | dir=in | app=c:\program files\microsoft lifecam\lifeenc2.exe |
"{5B62A447-1A6C-4117-BE2A-A6B4370D609B}" = protocol=17 | dir=in | app=c:\program files\microsoft lifecam\lifecam.exe |
"{62F40EB2-50E7-425D-9201-9083FB85C3D5}" = protocol=6 | dir=in | app=c:\program files\microsoft lifecam\lifetray.exe |
"{72D947C5-1102-4F7E-A8EB-DAA7336D48B7}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{88178E6B-0C60-4E25-9D45-38B9CE19F29A}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{8A34A0CF-5B8C-4C8B-9E59-F52A63883EE8}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{8E3AEC75-9C56-41B3-951A-1E4519F1F8A4}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office14\onenote.exe |
"{8EC11F25-BAF0-4756-B169-E00C64F26D49}" = protocol=17 | dir=in | app=c:\program files\microsoft lifecam\lifeexp.exe |
"{919C8484-5F47-4AC0-AAA1-30D744C31FC8}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office14\groove.exe |
"{A6DCCA19-B357-490D-A456-0FF6CAF7E18D}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{A9E2E53D-F30A-425D-BD58-D7BA0BFFDB6E}" = protocol=17 | dir=in | app=c:\program files\seh computertechnik gmbh\intercon-nettool\intercon-nettool.exe |
"{ACB2FACC-0207-4E81-8EE7-9C08CE21E7EF}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{BD816E3D-DE62-4B1B-BD8D-85A853E05241}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{C2E9550C-6F94-4076-BCB2-373A64CFA8E1}" = protocol=17 | dir=in | app=c:\program files\seh computertechnik gmbh\seh utn manager\utnservice.exe |
"{C77850CD-F881-4951-A66C-98B773E3C2E5}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{D0BC8AFC-02D8-43DD-B028-3D9B92A6D100}" = protocol=17 | dir=in | app=c:\program files\microsoft lifecam\lifetray.exe |
"{E0D84C68-A643-4437-87F8-E0BF2939856F}" = protocol=17 | dir=in | app=c:\program files\microsoft lifecam\lifeenc2.exe |
"{F11711F0-1DD8-4A67-814C-2169EF81D1DA}" = protocol=6 | dir=in | app=c:\program files\microsoft lifecam\lifecam.exe |
"{FABC09A2-6ED7-44BD-9221-00C832104D0B}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{FE3D14EC-D2DE-449C-A31D-258483B82D79}" = protocol=6 | dir=in | app=c:\program files\seh computertechnik gmbh\intercon-nettool\intercon-nettool.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"_{ADDBE07D-95B8-4789-9C76-187FFF9624B4}" = CorelDRAW Essential Edition 3
"{01E9B2FF-DAF4-4529-9CC9-2101625517C7}" = nero.prerequisites.msi
"{054A5F46-6DCE-4D09-8BC0-170428A4ED56}" = Acronis*True*Image*Home 2012
"{054A5F46-6DCE-4D09-8BC0-170428A4ED56}Visible" = Acronis*True*Image*Home 2012
"{08C8666B-C502-4AB3-B4CB-D74AC42D14FE}" = Nero BackItUp 10 Help (CHM)
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ4807" = CanoScan LiDE 200 Scanner Driver
"{16987E99-C95C-4513-9239-7B44A0A71DB5}" = Nero SoundTrax 10 Help (CHM)
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2436F2A8-4B7E-4B6C-AE4E-604C84AA6A4F}" = Nero Core Components 10
"{268278CF-FB69-4D98-B70E-BFEC1CDCA225}" = iTunes
"{26A24AE4-039D-4CA4-87B4-2F83217007FF}" = Java 7 Update 7
"{277C1559-4CF7-44FF-8D07-98AA9C13AABD}" = Nero Multimedia Suite 10 Platinum HD
"{32364CEA-7855-4A3C-B674-53D8E9B97936}" = TuneUp Utilities 2012
"{329411A0-19F3-4740-874F-17400B126F27}" = Nero Vision 10 Help (CHM)
"{33643918-7957-4839-92C7-EA96CB621A98}" = Nero Express 10 Help (CHM)
"{34490F4E-48D0-492E-8249-B48BECF0537C}" = Nero DiscSpeed 10
"{34B32B70-8081-11E2-89AF-B8AC6F98CCE3}" = Google Earth Plug-in
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3E6F0CAD-EE38-42A5-9EEA-AE17A55BF2D4}" = Firebird SQL Server - MAGIX Edition
"{42C8B7DF-FEB0-4D51-B169-506B6BEC5797}" = Nero 10 Menu TemplatePack 1
"{43FBAB46-5969-4200-9958-1FF81FEE506F}" = Nero 10 Kwik Themes 1
"{45C56AA7-ED1B-4800-A97F-EDDF3F3520B1}" = Apple Application Support
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}" = Skype™ 6.1
"{501451DE-5808-4599-B544-8BD0915B6B24}_is1" = FreeRIP 3.92
"{523B2B1B-D8DB-4B41-90FF-C4D799E2758A}" = Nero ControlCenter 10 Help (CHM)
"{555868C6-49FB-484F-BB43-8980651A1B00}" = Nero BurnRights 10 Help (CHM)
"{5DDB3393-E08B-447E-925F-6C00B95D0FE7}" = iCloud
"{5F548A02-80BC-404D-BAE6-F05F9BF6B449}" = Nero DiscCopyGadget 10 Help (CHM)
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{63AA3EAB-23BB-48B2-9AD0-44F878075604}" = Nero 10 Menu TemplatePack Basic
"{65BB0407-4CC8-4DC7-952E-3EEFDF05602A}" = Nero Update
"{66049135-9659-4AAD-9169-9CCA269EBB3E}" = Nero InfoTool 10 Help (CHM)
"{68AB6930-5BFF-4FF6-923B-516A91984FE6}" = Nero BackItUp 10
"{6AFCA4E1-9B78-3640-8F72-A7BF33448200}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{6DFB899F-17A2-48F0-A533-ED8D6866CF38}" = Nero Control Center 10
"{70550193-1C22-445C-8FA4-564E155DB1A7}" = Nero Express 10
"{70F19404-B96C-4EBB-AD2B-3574F8736197}" = Nero 10 Kwik Themes 2
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7A295D8F-484B-4FFB-89AB-C1FD497591FE}" = Nero WaveEditor 10 Help (CHM)
"{7A5D731D-B4B3-490E-B339-75685712BAAB}" = Nero Burning ROM 10
"{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}" = NVIDIA ForceWare Network Access Manager
"{7EE873AF-46BB-4B5D-BA6F-CFE4B0566E22}" = TuneUp Utilities Language Pack (de-DE)
"{7F6D7FD9-648D-4DD9-BB6E-3990C675ECA4}" = NVIDIA PhysX
"{81A34902-9D0B-4920-A25C-4CDC5D14B328}" = Jasc Paint Shop Pro 8
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{85BEC8F6-9AA3-43FF-B56B-8276277137B3}" = Nero 10 Video TransitionPack 1
"{8973631B-D3CE-4F74-8A72-F734D928B940}" = DVRManager
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8E666407-AC41-46a2-9692-6C7BFCBFDD37}" = Memeo Instant Backup
"{8ECEC853-5C3D-4B10-B5C7-FF11FF724807}" = Nero Recode 10
"{90140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2010
"{90140000-0015-0407-0000-0000000FF1CE}_Office14.PROPLUS_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2010
"{90140000-0016-0407-0000-0000000FF1CE}_Office14.PROPLUS_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2010
"{90140000-0018-0407-0000-0000000FF1CE}_Office14.PROPLUS_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2010
"{90140000-0019-0407-0000-0000000FF1CE}_Office14.PROPLUS_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2010
"{90140000-001A-0407-0000-0000000FF1CE}_Office14.PROPLUS_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2010
"{90140000-001B-0407-0000-0000000FF1CE}_Office14.PROPLUS_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2010
"{90140000-001F-0407-0000-0000000FF1CE}_Office14.PROPLUS_{65A2328E-FDFB-4CA3-8582-357EA6825FEA}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUS_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUS_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2010
"{90140000-001F-0410-0000-0000000FF1CE}_Office14.PROPLUS_{C0743197-FFEE-4C19-BAEB-8F7437DC4C8A}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2010
"{90140000-002C-0407-0000-0000000FF1CE}_Office14.PROPLUS_{4275FB46-ABDF-4456-876C-17CF64294D9A}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0044-0407-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2010
"{90140000-0044-0407-0000-0000000FF1CE}_Office14.PROPLUS_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2010
"{90140000-006E-0407-0000-0000000FF1CE}_Office14.PROPLUS_{98EDFD9F-EA76-40CC-BCE9-92C69413F65B}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2010
"{90140000-00A1-0407-0000-0000000FF1CE}_Office14.PROPLUS_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00BA-0407-0000-0000000FF1CE}" = Microsoft Office Groove MUI (German) 2010
"{90140000-00BA-0407-0000-0000000FF1CE}_Office14.PROPLUS_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{9193490D-5229-4FC4-9BB9-A6D63C09574A}" = High-Definition Video Playback
"{92146419-AE44-4C8B-A48B-0ABB1B5EC026}" = Nero 10 Menu TemplatePack 3
"{92A10E9D-EA00-4A46-8F22-EEA660992D61}" = Nero 10 Sample Videos
"{92E25238-61A3-4ACD-A407-3C480EEF47A7}" = Nero RescueAgent 10 Help (CHM)
"{92EC1A84-7FFC-42DF-A8F6-79C21C4765A5}" = Nero DiscCopy Gadget 10
"{943CFD7D-5336-47AF-9418-E02473A5A517}" = Nero BurnRights 10
"{959282E3-55A9-49D8-B885-D27CF8A2FD82}" = PHOTOfunSTUDIO 5.1 HD Edition
"{96ED4B78-300E-4033-AE6C-C115CEB4DF07}" = Nero 10 ClipartPack
"{975C8028-51D8-44A9-9585-82E9810FE96A}" = hp LaserJet 1000
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9A4297F3-2A51-4ED9-92CA-4BCB8380947E}" = Nero Vision 10
"{9B6B24BE-80E7-46C4-9FA5-B167D5E0F345}" = Nero BurningROM 10 Help (CHM)
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D318C86-AF4C-409F-A6AC-7183FF4CF424}" = Internet-TV für Windows Media Center
"{A062A15F-9CAC-4B88-98DF-87628A0BD721}" = Corel MediaOne
"{A334F1BA-0A1D-4ED6-B4F9-4066157CA15D}" = DE
"{A70B0C7B-3527-4D53-A694-E9492ECE9EE1}" = Nero 10 Kwik Themes 4
"{A7A0BF2E-31CC-49E3-9913-52C503EB969D}" = Nero Audio Pack 1
"{A8EFC6C1-DF0C-4F51-8779-EAC4CDB440A4}" = Plus Pack für Acronis True Image Home 2012
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.6) - Deutsch
"{ACD15FDF-FC42-4175-B477-576F92FF2256}" = Nero 10 Sample ImagePack
"{ADDBE07D-95B8-4789-9C76-187FFF9624B4}" = CorelDRAW Essential Edition 3
"{AF0CE7C0-A3E4-4D73-988B-B29187EC6E9A}" = QuickTime
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Systemsteuerung 280.26
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Grafiktreiber 280.26
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX-Systemsoftware 9.11.0621
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.4.28
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver" = NVIDIA HD-Audiotreiber 1.2.24.0
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{B3BC9DB1-0B0A-48B0-B86B-EA77CAA7F800}" = Microsoft Corporation
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
"{B9B1BA7F-7E07-49DD-A713-5B397A5BB66B}" = Nero Kwik Media Help (CHM)
"{BD60F72D-3F2F-4AE1-9C41-3CF75B2CA59A}" = DVR-Studio Pro 2
"{BD61F72D-2F1F-4BE1-9D41-3DF75B2CA59A}" = DVR-Compress
"{BD71B413-9FEE-49BB-A6D1-2C0BFB99BDFE}" = Microsoft LifeCam
"{BE814218-3919-4EA3-868A-2F60BC135CB4}" = Nero Kwik Media
"{BEBEE34D-84A2-4EDD-8BEA-96CC54371263}" = Nero Core Components 11
"{C18A0418-442A-4186-AF98-D08F5054A2FC}" = Nero DiscSpeed 10 Help (CHM)
"{C3273C55-E1E4-41FF-8D69-0158090DB8D8}" = Nero CoverDesigner 10 Help (CHM)
"{C82C515A-CAE3-44B3-B5CC-81C5E4A92E8F}" = Nero Prerequisite Installer 1.0
"{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}" = PlayReady PC Runtime x86
"{CE026CFE-73FE-4FED-9D5F-2C8D4DB512B0}" = TuneUp Utilities Language Pack (de-DE)
"{DB7C1D4A-08BA-4C7E-A8AA-B7F9BB372DCF}" = Nero Recode 10 Help (CHM)
"{DD238642-14C7-4D54-8BD7-FAD6DEA9999B}" = Nero 10 Kwik Themes 3
"{E14ADE0E-75F3-4A46-87E5-26692DD626EC}" = Apple Mobile Device Support
"{E1EE5339-5D32-458F-BAAB-B19F6301BCE2}" = Nero SoundTrax 10
"{E337E787-CF61-4B7B-B84F-509202A54023}" = Nero RescueAgent 10
"{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}" = Microsoft SQL Server Compact 3.5 SP1 English
"{E712C273-7564-4C8E-AA59-0FA19BC35117}" = Nero 10 Menu TemplatePack 2
"{EDCDFAD5-DF80-4600-A493-E9DAD6810230}" = Nero WaveEditor 10
"{EF3A4DAE-F16F-4AC1-87BB-FE00A784084F}" = Nero 10 PiP EffectPack 1
"{EFB21DE7-8C19-4A88-BB28-A766E16493BC}" = Adobe Photoshop CS
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F412B4AF-388C-4FF5-9B2F-33DB1C536953}" = Nero InfoTool 10
"{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}" = Update Manager
"{F5CB822F-B365-43D1-BCC0-4FDA1A2017A7}" = Nero 10 Movie ThemePack Basic
"{F6117F9C-ADB5-4590-9BE4-12C7BEC28702}" = Nero StartSmart 10 Help (CHM)
"{F61D489E-6C44-49AC-AD02-7DA8ACA73A65}" = Nero StartSmart 10
"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{FCF00A6E-FB58-477A-ABE9-232907105521}" = Nero CoverDesigner 10
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"Album Cover Finder_is1" = Album Cover Finder v.7.1.0
"ALDI Süd Foto Manager Free D" = ALDI Süd Foto Manager Free
"ALDI Süd Foto Service D" = ALDI Süd Foto Service
"Aldi Süd Fotoservice_is1" = Aldi Süd Fotoservice
"ALDI Süd Online Druck Service D" = ALDI Süd Online Druck Service
"Avira AntiVir Desktop" = Avira Internet Security
"CANONIJINBOXADDON100" = Canon Inkjet Printer Driver Add-On Module
"CanonMyPrinter" = Canon Utilities My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"CCleaner" = CCleaner
"CrystalDiskInfo_is1" = CrystalDiskInfo 4.1.4
"dm-Fotowelt" = dm-Fotowelt
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"InstallShield_{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}" = NVIDIA ForceWare Network Access Manager
"Intel(R) Solid-State Drive Toolbox" = Intel(R) Solid-State Drive Toolbox
"InterCon-NetTool" = SEH InterCon-NetTool 1.8.43
"IrfanView" = IrfanView (remove only)
"Jasc Paint Shop Pro 8.10 Update Patch" = Jasc Paint Shop Pro 8.10 Update Patch
"MEDION Fotos auf CD & DVD SE Sued D" = MEDION Fotos auf CD & DVD SE Sued
"MEDION NAS TOOL" = MEDION NAS TOOL
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Mozilla Firefox 19.0.2 (x86 de)" = Mozilla Firefox 19.0.2 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MP Navigator EX 2.0" = Canon MP Navigator EX 2.0
"NVIDIA Drivers" = NVIDIA Drivers
"Office14.PROPLUS" = Microsoft Office Professional Plus 2010
"SEH Print Monitor" = SEH Print Monitor 4.5.5
"SEH UTN Manager" = SEH UTN Manager 1.5.6
"Tag&Rename_is1" = Tag&Rename 3.6
"TuneUp Utilities 2012" = TuneUp Utilities 2012
"VLC media player" = VLC media player 1.1.11
"Winamp" = Winamp
"WinRAR archiver" = WinRAR
"WinZip" = WinZip
"X10Hardware" = X10 Hardware(TM)
"Xvid Video Codec 1.3.1" = Xvid Video Codec
========== HKEY_USERS Uninstall List ==========
[HKEY_USERS\S-1-5-21-2136012392-1314403839-967441070-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Winamp Detect" = Winamp Anwendungserkennung
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 09.03.2013 22:04:01 | Computer Name = Matthias-PC | Source = Microsoft-Windows-User Profiles Service | ID = 1511
Description = Das lokale Benutzerprofil wurde nicht gefunden. Sie werden mit einem
temporären Benutzerprofil angemeldet. Änderungen, die Sie am Benutzerprofil vornehmen,
gehen bei der Abmeldung verloren.
Error - 10.03.2013 03:09:36 | Computer Name = Matthias-PC | Source = MemeoBackgroundService | ID = 0
Description =
Error - 10.03.2013 03:12:12 | Computer Name = Matthias-PC | Source = MemeoBackgroundService | ID = 0
Description =
Error - 10.03.2013 03:22:58 | Computer Name = Matthias-PC | Source = MemeoBackgroundService | ID = 0
Description =
Error - 10.03.2013 03:34:32 | Computer Name = Matthias-PC | Source = MemeoBackgroundService | ID = 0
Description =
Error - 10.03.2013 04:02:55 | Computer Name = Matthias-PC | Source = MemeoBackgroundService | ID = 0
Description =
Error - 10.03.2013 04:54:08 | Computer Name = Matthias-PC | Source = VSS | ID = 8193
Description =
Error - 10.03.2013 04:56:29 | Computer Name = Matthias-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: utnservice.exe, Version: 0.0.0.0,
Zeitstempel: 0x50bc9681 Name des fehlerhaften Moduls: utnservice.exe, Version: 0.0.0.0,
Zeitstempel: 0x50bc9681 Ausnahmecode: 0xc0000005 Fehleroffset: 0x0000599a ID des fehlerhaften
Prozesses: 0x1528 Startzeit der fehlerhaften Anwendung: 0x01ce1d6cd91cb5f0 Pfad der
fehlerhaften Anwendung: C:\Program Files\SEH Computertechnik GmbH\SEH UTN Manager\utnservice.exe
Pfad
des fehlerhaften Moduls: C:\Program Files\SEH Computertechnik GmbH\SEH UTN Manager\utnservice.exe
Berichtskennung:
656e0900-8960-11e2-aa62-0015832dddf5
Error - 10.03.2013 05:25:29 | Computer Name = Matthias-PC | Source = Application Hang | ID = 1002
Description = Programm TrueImage.exe, Version 15.0.0.7133 kann nicht mehr unter
Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in
der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem
zu suchen. Prozess-ID: 120c Startzeit: 01ce1d705ca83fe0 Endzeit: 18726 Anwendungspfad:
C:\Program Files\Acronis\TrueImageHome\TrueImage.exe Berichts-ID: 4b0dc241-8964-11e2-aa62-0015832dddf5
Error - 10.03.2013 07:24:16 | Computer Name = Matthias-PC | Source = MemeoBackgroundService | ID = 0
Description =
[ Media Center Events ]
Error - 05.03.2012 18:07:23 | Computer Name = Matthias-PC | Source = MCUpdate | ID = 0
Description = 23:07:22 - MCEClientUX konnte nicht abgerufen werden (Fehler: Die
zugrunde liegende Verbindung wurde geschlossen: Für den geschützten SSL/TLS-Kanal
konnte keine Vertrauensstellung hergestellt werden..)
Error - 17.02.2013 08:03:32 | Computer Name = Matthias-PC | Source = MCUpdate | ID = 0
Description = 13:03:32 - Fehler beim Herstellen der Internetverbindung. 13:03:32
- Serververbindung konnte nicht hergestellt werden..
[ System Events ]
Error - 01.03.2013 10:58:15 | Computer Name = Matthias-PC | Source = srv | ID = 2017
Description = Der Server konnte keinen nicht-ausgelagerten Poolspeicher reservieren,
da die konfigurierte Grenze für die Reservierung von nicht-ausgelagertem Poolspeicher
erreicht wurde.
Error - 01.03.2013 11:30:15 | Computer Name = Matthias-PC | Source = srv | ID = 2017
Description = Der Server konnte keinen nicht-ausgelagerten Poolspeicher reservieren,
da die konfigurierte Grenze für die Reservierung von nicht-ausgelagertem Poolspeicher
erreicht wurde.
Error - 01.03.2013 12:03:15 | Computer Name = Matthias-PC | Source = srv | ID = 2017
Description = Der Server konnte keinen nicht-ausgelagerten Poolspeicher reservieren,
da die konfigurierte Grenze für die Reservierung von nicht-ausgelagertem Poolspeicher
erreicht wurde.
Error - 01.03.2013 12:35:15 | Computer Name = Matthias-PC | Source = srv | ID = 2017
Description = Der Server konnte keinen nicht-ausgelagerten Poolspeicher reservieren,
da die konfigurierte Grenze für die Reservierung von nicht-ausgelagertem Poolspeicher
erreicht wurde.
Error - 01.03.2013 13:07:15 | Computer Name = Matthias-PC | Source = srv | ID = 2017
Description = Der Server konnte keinen nicht-ausgelagerten Poolspeicher reservieren,
da die konfigurierte Grenze für die Reservierung von nicht-ausgelagertem Poolspeicher
erreicht wurde.
Error - 01.03.2013 13:39:15 | Computer Name = Matthias-PC | Source = srv | ID = 2017
Description = Der Server konnte keinen nicht-ausgelagerten Poolspeicher reservieren,
da die konfigurierte Grenze für die Reservierung von nicht-ausgelagertem Poolspeicher
erreicht wurde.
Error - 01.03.2013 14:11:15 | Computer Name = Matthias-PC | Source = srv | ID = 2017
Description = Der Server konnte keinen nicht-ausgelagerten Poolspeicher reservieren,
da die konfigurierte Grenze für die Reservierung von nicht-ausgelagertem Poolspeicher
erreicht wurde.
Error - 01.03.2013 14:43:15 | Computer Name = Matthias-PC | Source = srv | ID = 2017
Description = Der Server konnte keinen nicht-ausgelagerten Poolspeicher reservieren,
da die konfigurierte Grenze für die Reservierung von nicht-ausgelagertem Poolspeicher
erreicht wurde.
Error - 01.03.2013 15:16:15 | Computer Name = Matthias-PC | Source = srv | ID = 2017
Description = Der Server konnte keinen nicht-ausgelagerten Poolspeicher reservieren,
da die konfigurierte Grenze für die Reservierung von nicht-ausgelagertem Poolspeicher
erreicht wurde.
Error - 02.03.2013 04:25:15 | Computer Name = Matthias-PC | Source = srv | ID = 2017
Description = Der Server konnte keinen nicht-ausgelagerten Poolspeicher reservieren,
da die konfigurierte Grenze für die Reservierung von nicht-ausgelagertem Poolspeicher
erreicht wurde.
[ TuneUp Events ]
Error - 09.02.2012 13:21:30 | Computer Name = Matthias-PC | Source = TuneUp.UtilitiesSvc | ID = 300
Description =
Error - 09.02.2012 13:21:30 | Computer Name = Matthias-PC | Source = TuneUp.UtilitiesSvc | ID = 300
Description =
Error - 14.02.2012 20:23:06 | Computer Name = Matthias-PC | Source = TuneUp.UtilitiesSvc | ID = 300
Description =
Error - 27.02.2012 22:48:07 | Computer Name = Matthias-PC | Source = TuneUp.UtilitiesSvc | ID = 300
Description =
Error - 28.02.2012 02:57:03 | Computer Name = Matthias-PC | Source = TuneUp.UtilitiesSvc | ID = 300
Description =
Error - 28.02.2012 02:57:29 | Computer Name = Matthias-PC | Source = TuneUp.UtilitiesSvc | ID = 300
Description =
Error - 28.02.2012 03:58:11 | Computer Name = Matthias-PC | Source = TuneUp.UtilitiesSvc | ID = 300
Description =
Error - 28.02.2012 03:59:01 | Computer Name = Matthias-PC | Source = TuneUp.UtilitiesSvc | ID = 300
Description =
Error - 07.07.2012 08:35:23 | Computer Name = Matthias-PC | Source = TuneUp.UtilitiesSvc | ID = 300
Description =
Error - 21.09.2012 21:15:55 | Computer Name = Matthias-PC | Source = TuneUp.UtilitiesSvc | ID = 300
Description =
< End of report >
Gmer.txt Code:
ATTFilter GMER 2.1.19155 - hxxp://www.gmer.net
Rootkit scan 2013-03-10 15:08:06
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-3 INTEL_SSDSA2CW120G3 rev.4PC10362 111,79GB
Running: gmer_2.1.19155.exe; Driver: C:\Users\Matthias\AppData\Local\Temp\fxldqkow.sys
---- System - GMER 2.1 ----
SSDT 8F258496 ZwCreateSection
SSDT 8F25846E ZwCreateSymbolicLinkObject
SSDT 8F258473 ZwLoadDriver
SSDT 8F258469 ZwOpenSection
SSDT 8F2584A0 ZwRequestWaitReplyPort
SSDT 8F25849B ZwSetContextThread
SSDT 8F2584A5 ZwSetSecurityObject
SSDT 8F258478 ZwSetSystemInformation
SSDT 8F2584AA ZwSystemDebugControl
SSDT 8F258437 ZwTerminateProcess
SSDT 8F258432 ZwWriteVirtualMemory
---- Kernel code sections - GMER 2.1 ----
.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 8323F9E9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 832791C2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 8328030C 4 Bytes [96, 84, 25, 8F]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11FF 83280314 4 Bytes [6E, 84, 25, 8F]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1313 83280428 4 Bytes [73, 84, 25, 8F]
.text ntkrnlpa.exe!KeRemoveQueueEx + 13AF 832804C4 4 Bytes [69, 84, 25, 8F]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1553 83280668 4 Bytes [A0, 84, 25, 8F]
.text ...
---- Devices - GMER 2.1 ----
Device Ntfs.sys
AttachedDevice tdrpman.sys
Device \Driver\BTHUSB \Device\0000009b bthport.sys
Device \Driver\BTHUSB \Device\0000009b bthport.sys
Device \Driver\BTHUSB \Device\0000009d bthport.sys
Device \Driver\BTHUSB \Device\0000009d bthport.sys
Device \Driver\volmgr \Device\VolMgrControl fltsrv.sys
AttachedDevice \Driver\tdx \Device\Tcp avfwot.sys
Device \Driver\volmgr \Device\HarddiskVolume1 fltsrv.sys
Device \Driver\volmgr \Device\HarddiskVolume2 fltsrv.sys
Device \Driver\volmgr \Device\HarddiskVolume3 fltsrv.sys
Device \Driver\volmgr \Device\HarddiskVolume4 fltsrv.sys
Device \Driver\volmgr \Device\HarddiskVolume5 fltsrv.sys
Device \Driver\volmgr \Device\HarddiskVolume6 fltsrv.sys
Device \Driver\volmgr \Device\HarddiskVolume7 fltsrv.sys
Device \Driver\volmgr \Device\HarddiskVolume8 fltsrv.sys
Device \Driver\volmgr \Device\HarddiskVolume9 fltsrv.sys
Device \Driver\partmgr \Device\PartmgrControl fltsrv.sys
AttachedDevice \Driver\tdx \Device\Udp avfwot.sys
Device \Driver\Disk \Device\Harddisk0\DR0 fltsrv.sys
AttachedDevice \Driver\tdx \Device\RawIp avfwot.sys
Device \Driver\Disk \Device\Harddisk1\DR1 fltsrv.sys
Device \Driver\Disk \Device\Harddisk2\DR2 fltsrv.sys
Device \Driver\Disk \Device\Harddisk3\DR3 fltsrv.sys
Device \Driver\Disk \Device\Harddisk4\DR4 fltsrv.sys
Device \Driver\Disk \Device\Harddisk5\DR5 fltsrv.sys
Device \Driver\Disk \Device\Harddisk6\DR6 fltsrv.sys
Device \Driver\Disk \Device\Harddisk7\DR7 fltsrv.sys
Device \Driver\Disk \Device\Harddisk8\DR8 fltsrv.sys
Device \Driver\volmgr \Device\HarddiskVolume10 fltsrv.sys
Device \Driver\Disk \Device\Harddisk9\DR9 fltsrv.sys
Device \Driver\volmgr \Device\HarddiskVolume11 fltsrv.sys
Device \Driver\rdyboost \Device\RdyBoost fltsrv.sys
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015832dddf5
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015832dddf5 (not active ControlSet)
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9816170D-898A-84EB-A621-DF7F7D25E3F7}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9816170D-898A-84EB-A621-DF7F7D25E3F7}@pafkmibdkdbjfhlpkelkigoielnfgmof 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9816170D-898A-84EB-A621-DF7F7D25E3F7}@padpmljobipagfdfhgnhbjohlbompdoa 0x61 0x61 0x00 0x01
---- EOF - GMER 2.1 ----
Ich bin mir nicht sicher, ob ich bereits alles entfernen konnte. Meine Avira Internet Security Suite arbeitete zunächst nicht. Fehlermeldung bzgl. folgender fehlerhaften oder fehlenden DLL C:\\WINDOWS\WinSxS\x86_microsoft.windows.common_controls_6595b64144ccf1df_6.0.7691.17514_none_41e6975e2bd6f2b2\COMCTL32.dll Nach Deinstallation und Neuinstallation von Avira ist bisher vermeintlich alles in Ordnung. Ich bitte um Hilfe und verbleibe mit Besten Grüssen Ratte2000 |
| Themen zu GVU / Bundespolizeitrojaner (Skypevariante?); System Win7 32bit; Infektionszeit 09.03.13 23:05 |
| antivir, autorun, avira internet security suite, benutzerprofil, bonjour, bundespolizeitrojaner, crystaldiskinfo, entfernen, flash player, install.exe, logfile, mit temporären profil angemeldet, mozilla, plug-in, realtek, rundll, sie wurden mit einem temporären profil angemeldet, sie wurden mit einem temporären profil angemeldet windows 7 domäne, software, svchost.exe, temporären profil angemeldet, win7 temporäres profil, windows, windows 7 sie wurden mit einem temporären profil angemeldet, windows 7 sie wurden mit einem temporären profil angemeldet domäne, windows 7 temporäres profil domäne |
Baum-Darstellung