|
Plagegeister aller Art und deren Bekämpfung: Bundespolizei-Trojaner blockiert abgesicherten ModusWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
23.03.2013, 13:27 | #1 |
| Bundespolizei-Trojaner blockiert abgesicherten Modus Hallo liebes Trojaner-Board Team ! Ich habe mir den Bundespolizei-Trojaner auf einem 2. PC eingefangen. Einen Lösungsversuch habe ich bereits gestartet, und zwar mit dem Abgesicherten Modus mit Eingabeaufforderung; dabei bin ich nach folgender Anleitung vorgegangen: www.bmi.gv.at/cms/cs03documentsbmi/1103.pdf Das hat allerdings nicht funktioniert, da der Wert von Shell in Winlogon bereits "Explorer.exe" beträgt. Außerdem musste ich feststellen, dass der Trojaner beim "normalen" Abgesicherten Modus, sowie beim abgesicherten Modus mit Netzwerktreibern sperrt, aber bei dem mit Eingabeaufforderung nicht (bei letzterem habe ich allerdings auch nur auf die Eingabeaufforderung Zugriff, ansonsten ist dort nur ein schwarzer Schirm) Ich bedanke mich schonmal im Vorhinein für alle zukünftigen Lösungsvorschläge und hoffe, dass ich das Problem mit eurer Hilfe lösen kann. |
23.03.2013, 14:51 | #2 | |
/// TB-Ausbilder | Bundespolizei-Trojaner blockiert abgesicherten Modus Hallo Coldeagle und
__________________Mein Name ist Leo und ich werde dich durch die Bereinigung deines Rechners begleiten. Eine Bereinigung beinhaltet nebst dem Entfernen von Malware auch das Schliessen von Sicherheitslücken und sollte gründlich durchgeführt werden. Sie erfolgt deshalb in mehreren Schritten und bedeutet einigen Aufwand für dich. Beachte: Das Verschwinden der offensichtlichen Symptome bedeutet nicht, dass das System schon sauber ist. Arbeite daher in deinem eigenen Interesse solange mit, bis du das OK bekommst, dass alles erledigt ist. Hinweise zum Ablauf
Zitat:
Schritt 1 Lade dir auf einem Zweitrechner bitte OTL (von Oldtimer) herunter und speichere es auf einen USB-Stick (nicht in einen Unterordner!).
Bitte poste in deiner nächsten Antwort:
__________________ |
24.03.2013, 13:06 | #3 |
| Bundespolizei-Trojaner blockiert abgesicherten Modus Hallo Leo! Vielen Dank für die schnelle Hilfe.
__________________Mein Name ist übrigens Martin. Hier sind die beiden txt-Dateien, die OTL erstellt hat. Erstmal die OTL.txt Code:
ATTFilter OTL logfile created on: 24.03.2013 12:45:18 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = D:\ Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000c07 | Country: Österreich | Language: DEA | Date Format: dd.MM.yyyy 1,99 Gb Total Physical Memory | 1,69 Gb Available Physical Memory | 84,90% Memory free 3,98 Gb Paging File | 3,70 Gb Available in Paging File | 92,91% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 74,43 Gb Total Space | 46,50 Gb Free Space | 62,47% Space Free | Partition Type: NTFS Drive D: | 1,95 Gb Total Space | 1,76 Gb Free Space | 90,41% Space Free | Partition Type: FAT32 Computer Name: SILBERNER_COMPU | User Name: Mama | Logged in as Administrator. Boot Mode: SafeMode | Scan Mode: All users Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.03.24 12:29:40 | 000,602,112 | ---- | M] (OldTimer Tools) -- D:\OTL.exe PRC - [2013.01.27 11:11:46 | 000,284,304 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Security Client\MpCmdRun.exe PRC - [2013.01.27 11:11:46 | 000,020,456 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Security Client\MsMpEng.exe PRC - [2012.11.30 03:55:25 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe PRC - [2010.11.20 13:17:00 | 000,302,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cmd.exe ========== Modules (No Company Name) ========== ========== Services (SafeList) ========== SRV - [2013.03.23 11:59:08 | 000,101,888 | ---- | M] () [Auto | Stopped] -- C:\Users\Mama\3050053.dll -- (Winmgmt) SRV - [2013.03.13 15:40:47 | 000,253,656 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013.03.07 15:29:15 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2013.01.27 11:11:46 | 000,295,232 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Microsoft Security Client\NisSrv.exe -- (NisSrv) SRV - [2013.01.27 11:11:46 | 000,020,456 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc) SRV - [2012.12.18 15:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Stopped] -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2011.07.20 04:18:24 | 000,440,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE -- (odserv) SRV - [2010.11.30 10:20:00 | 001,570,056 | ---- | M] (Raxco Software, Inc.) [Auto | Stopped] -- C:\Programme\Raxco\PerfectDisk\PDAgent.exe -- (PDAgent) SRV - [2010.11.30 10:19:50 | 001,475,848 | ---- | M] (Raxco Software, Inc.) [On_Demand | Stopped] -- C:\Programme\Raxco\PerfectDisk\PDEngine.exe -- (PDEngine) SRV - [2010.11.20 13:21:36 | 000,351,232 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- winhttp.dll -- (WinHttpAutoProxySvc) SRV - [2010.11.20 13:17:56 | 001,121,792 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc) SRV - [2010.05.21 12:29:20 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc) SRV - [2010.05.04 12:07:22 | 000,503,080 | ---- | M] (Nero AG) [Auto | Stopped] -- C:\Programme\Nero\Update\NASvc.exe -- (NAUpdate) SRV - [2010.01.25 07:22:56 | 000,245,760 | ---- | M] (Brother Industries, Ltd.) [On_Demand | Stopped] -- C:\Programme\Browny02\BrYNSvc.exe -- (BrYNSvc) SRV - [2009.08.18 10:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Programme\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE -- (wlidsvc) SRV - [2009.07.14 02:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc) SRV - [2009.07.14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc) SRV - [2009.07.14 02:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc) SRV - [2009.07.14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2007.05.31 15:21:24 | 000,379,784 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm) SRV - [2007.05.31 15:21:18 | 000,183,688 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr) SRV - [2006.10.26 13:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\ublqjnip.sys -- (ublqjnip) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ATI\Support\10-4_vista32_win7_32_dd_ccc_wdm_enu\Bin\atidcmxx.sys -- (AtiDCM) DRV - [2013.03.24 12:42:58 | 000,043,600 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\ynfablfc.sys -- (ynfablfc) DRV - [2013.01.20 15:59:04 | 000,100,328 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv) DRV - [2012.10.25 17:30:04 | 000,025,200 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ggsemc.sys -- (ggsemc) DRV - [2012.10.25 17:30:04 | 000,012,400 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ggflt.sys -- (ggflt) DRV - [2012.08.23 15:44:32 | 000,014,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport) DRV - [2012.08.23 15:40:25 | 000,049,664 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV - [2011.08.02 17:38:44 | 000,018,432 | ---- | M] (Apple Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\netaapl.sys -- (Netaapl) DRV - [2011.06.02 11:08:34 | 000,011,336 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Programme\SystemRequirementsLab\cpudrv.sys -- (cpudrv) DRV - [2010.11.20 13:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus) DRV - [2010.11.20 13:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt) DRV - [2010.11.20 13:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc) DRV - [2010.11.20 10:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb) DRV - [2010.11.20 10:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID) DRV - [2010.11.20 10:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap) DRV - [2010.08.11 07:10:06 | 000,135,184 | ---- | M] (Raxco Software, Inc.) [File_System | Auto | Stopped] -- C:\Windows\System32\drivers\DefragFs.sys -- (DefragFS) DRV - [2010.02.08 05:45:04 | 000,019,456 | ---- | M] (WiFi Media Connect) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\wfmcvad.sys -- (WFMC_VAD) DRV - [2009.10.26 07:54:24 | 000,025,088 | ---- | M] (HTC, Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ANDROIDUSB.sys -- (HTCAND32) DRV - [2009.07.13 23:09:17 | 004,194,816 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag) DRV - [2009.02.13 20:02:52 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\wdcsam.sys -- (WDC_SAM) DRV - [2007.06.10 16:48:02 | 000,110,160 | ---- | M] (Check Point Software Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vna.sys -- (VNA) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-2523976142-1527386152-3711227914-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.at/ IE - HKU\S-1-5-21-2523976142-1527386152-3711227914-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://at.msn.com/?ocid=iehp IE - HKU\S-1-5-21-2523976142-1527386152-3711227914-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-AT IE - HKU\S-1-5-21-2523976142-1527386152-3711227914-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 48 06 EE 04 8E E3 CD 01 [binary data] IE - HKU\S-1-5-21-2523976142-1527386152-3711227914-1004\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKU\S-1-5-21-2523976142-1527386152-3711227914-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:19.0.2 FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_6_602_180.dll () FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 19.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013.03.13 16:38:11 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 19.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013.03.13 16:39:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mama\AppData\Roaming\mozilla\Extensions [2013.03.13 16:40:55 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mama\AppData\Roaming\mozilla\Firefox\Profiles\8t4c8jft.default\extensions [2013.03.13 16:40:55 | 000,817,280 | ---- | M] () (No name found) -- C:\Users\Mama\AppData\Roaming\mozilla\firefox\profiles\8t4c8jft.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013.03.13 16:38:11 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions [2013.03.07 15:30:04 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2013.03.07 16:45:15 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2013.03.07 16:45:15 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2013.03.07 16:45:15 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2013.03.07 16:45:15 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2013.03.07 16:45:15 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2013.03.07 16:45:15 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2011.10.08 07:29:13 | 000,001,935 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 blumi.to O1 - Hosts: 127.0.0.1 www.nero.com O1 - Hosts: 127.0.0.1 www.nero.com/rus/index.html O1 - Hosts: 127.0.0.1 www.nero.com/rus/support.html O1 - Hosts: 127.0.0.1 www.nero.com/rus/support-customer-service-product-registration.html O1 - Hosts: 127.0.0.1 www.nero.com/rus/store-upgrade-center.html O1 - Hosts: 127.0.0.1 www.nero.com/rus/store-volume-licensing.html O1 - Hosts: 127.0.0.1 www.nero.com/eng/support.html?NeroSID=392cba06859c3dcd87b47525e97a3b80 O1 - Hosts: 127.0.0.1 www.nero.com/eng/store-upgrade-center.html?NeroSID=392cba06859c3dcd87b47525e97a3b80 O1 - Hosts: 127.0.0.1 www.nero.com/eng/support-customer-service-product-registration.html?NeroSID=392cba06859c3dcd87b47525e97a3b80 O1 - Hosts: 127.0.0.1 www.nero.com/eng/index.html O1 - Hosts: 127.0.0.1 www.nero.com/eng/store-upgrade-center.html&sa=X&oi=smap&resnum=1&ct=result&cd=6&usg=AFQjCNFRzc_q0umeKlIj7pPYNNBYCFbXkg O1 - Hosts: 127.0.0.1 www.nero.com/enu/support-nero8.html O1 - Hosts: 127.0.0.1 my.nero.com O1 - Hosts: 127.0.0.1 secure.nero.com/us/secure.asp O1 - Hosts: 127.0.0.1 activation@nero.com O1 - Hosts: 127.0.0.1 registernero.com O1 - Hosts: 127.0.0.1 www.registernero.com O1 - Hosts: 127.0.0.1 nero.com O1 - Hosts: 127.0.0.1 www.nero.com/eng/privacy.html. O1 - Hosts: 127.0.0.1 legal@nero.com O1 - Hosts: 127.0.0.1 support.nero.com O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (Windows Live ID-Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O4 - HKLM..\Run: [BrStsMon00] C:\Program Files\Browny02\Brother\BrStMonW.exe (Brother Industries, Ltd.) O4 - HKLM..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.) O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation) O4 - HKLM..\Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdcBase.exe (Microsoft Corporation) O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation) O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LocalAccountTokenFilterPolicy = 1 O7 - HKU\S-1-5-21-2523976142-1527386152-3711227914-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Programme\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Programme\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation) O13 - gopher Prefix: missing O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://oas.support.microsoft.com/ActiveX/MSDcode.cab (Microsoft Data Collection Control) O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.0.cab (DLM Control) O16 - DPF: {82E5DF24-51E8-47CD-864A-F4BD5005AA73} https://www.icloud.com/system/iCloud.cab (iCloud Web App Plugin) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} https://68.156.46.20/SNX/CSHELL/extender.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.11.0.cab (SysInfo Class) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe (Reg Error: Key error.) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.138 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0ECB2482-6F92-4473-9C4A-B619D99B1298}: DhcpNameServer = 10.0.0.138 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{94761770-9921-4766-BAFB-7D27F164D711}: DhcpNameServer = 213.162.69.169 213.162.69.170 O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation) O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - SystemPropertiesPerformance.exe (Microsoft Corporation) O20 - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - igfxdev.dll (Intel Corporation) O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O29 - HKLM SecurityProviders - (credssp.dll) - credssp.dll (Microsoft Corporation) O31 - SafeBoot: UseAlternatShell - 1 O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009.06.10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (PDBoot.exe) O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013.03.24 12:42:57 | 000,043,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\ynfablfc.sys [2013.03.22 15:53:20 | 001,534,464 | ---- | C] (Brother Industries, Ltd.) -- C:\Windows\System32\BrWia09b.dll [2013.03.22 15:53:20 | 000,053,760 | ---- | C] (Brother Industries, Ltd.) -- C:\Windows\System32\BrUsi09a.dll [2013.03.22 15:52:29 | 000,000,000 | ---D | C] -- C:\Users\Mama\AppData\Roaming\InstallShield [2013.03.14 03:01:24 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb [2013.03.14 03:01:22 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll [2013.03.14 03:01:22 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll [2013.03.14 03:01:21 | 000,607,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll [2013.03.14 03:01:21 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe [2013.03.14 03:01:19 | 001,800,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll [2013.03.14 03:01:19 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll [2013.03.14 03:01:17 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl [2013.03.13 16:41:26 | 000,000,000 | ---D | C] -- C:\Users\Mama\AppData\Local\Macromedia [2013.03.13 16:39:15 | 000,000,000 | ---D | C] -- C:\Users\Mama\AppData\Roaming\Mozilla [2013.03.13 16:39:15 | 000,000,000 | ---D | C] -- C:\Users\Mama\AppData\Local\Mozilla [2013.03.13 16:38:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Mozilla [2013.03.13 16:38:42 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service [2013.03.13 16:38:10 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [2013.02.27 15:22:29 | 000,187,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\UIAnimation.dll [2013.02.27 15:22:20 | 000,417,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WMPhoto.dll [2013.02.27 15:22:16 | 000,010,752 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll [2013.02.27 15:22:16 | 000,009,728 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll [2013.02.27 15:22:16 | 000,002,560 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll [2013.02.27 15:22:15 | 000,364,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsGdiConverter.dll [2013.02.27 15:22:14 | 000,005,632 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll [2013.02.27 15:22:14 | 000,005,632 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll [2013.02.27 15:22:14 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll [2013.02.27 15:22:14 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll [2013.02.27 15:22:14 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll [2013.02.27 15:22:14 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll [2013.02.27 15:22:13 | 001,988,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10warp.dll [2013.02.27 15:22:12 | 002,284,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msmpeg2vdec.dll [2013.02.27 15:22:12 | 000,604,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10level9.dll [2013.02.27 15:22:12 | 000,293,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxgi.dll [2013.02.27 15:22:12 | 000,249,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1core.dll [2013.02.27 15:22:12 | 000,220,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10core.dll [2013.02.27 15:22:11 | 001,504,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d11.dll [2013.02.27 15:22:11 | 001,247,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\DWrite.dll [2013.02.27 15:22:11 | 001,158,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsPrint.dll [2013.02.27 15:22:11 | 001,080,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10.dll [2013.02.27 15:22:11 | 000,161,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1.dll [2013.02.27 15:22:10 | 003,419,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d2d1.dll [2013.02.27 15:22:10 | 000,207,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WindowsCodecsExt.dll ========== Files - Modified Within 30 Days ========== [2013.03.24 12:42:58 | 000,043,600 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\ynfablfc.sys [2013.03.24 12:41:10 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.03.24 12:40:58 | 1603,932,160 | -HS- | M] () -- C:\hiberfil.sys [2013.03.23 13:17:35 | 095,023,320 | ---- | M] () -- C:\ProgramData\3500503.pad [2013.03.23 13:17:33 | 000,001,045 | ---- | M] () -- C:\Users\Mama\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk [2013.03.23 12:01:51 | 000,001,090 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2013.03.23 11:59:20 | 000,015,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013.03.23 11:59:20 | 000,015,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013.03.23 11:59:08 | 000,101,888 | ---- | M] () -- C:\Users\Mama\3050053.dll [2013.03.22 19:40:00 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2013.03.22 19:40:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013.03.22 16:06:34 | 000,273,113 | ---- | M] () -- C:\Users\Mama\Desktop\001.jpg [2013.03.22 15:54:52 | 000,002,100 | ---- | M] () -- C:\Users\Public\Desktop\Brother Creative Center.lnk [2013.03.22 15:54:34 | 000,000,862 | ---- | M] () -- C:\Windows\Brpfx04a.ini [2013.03.22 15:54:34 | 000,000,153 | ---- | M] () -- C:\Windows\brpcfx.ini [2013.03.22 15:54:13 | 000,000,050 | ---- | M] () -- C:\Windows\System32\bridf08b.dat [2013.03.22 15:54:11 | 000,000,467 | ---- | M] () -- C:\Windows\BRWMARK.INI [2013.03.22 15:54:11 | 000,000,027 | ---- | M] () -- C:\Windows\BRPP2KA.INI [2013.03.18 18:23:37 | 000,057,491 | ---- | M] () -- C:\Users\Mama\Desktop\new-york-skyline.jpg [2013.03.13 16:38:45 | 000,001,119 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2013.03.13 15:40:47 | 000,693,976 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe [2013.03.13 15:40:47 | 000,073,432 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl ========== Files Created - No Company Name ========== [2013.03.23 13:17:33 | 000,001,045 | ---- | C] () -- C:\Users\Mama\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk [2013.03.23 11:59:09 | 095,023,320 | ---- | C] () -- C:\ProgramData\3500503.pad [2013.03.23 11:59:07 | 000,101,888 | ---- | C] () -- C:\Users\Mama\3050053.dll [2013.03.22 16:06:34 | 000,273,113 | ---- | C] () -- C:\Users\Mama\Desktop\001.jpg [2013.03.22 15:54:13 | 000,000,050 | ---- | C] () -- C:\Windows\System32\bridf08b.dat [2013.03.22 15:54:11 | 000,000,027 | ---- | C] () -- C:\Windows\BRPP2KA.INI [2013.03.18 18:23:46 | 000,057,491 | ---- | C] () -- C:\Users\Mama\Desktop\new-york-skyline.jpg [2013.03.13 16:38:45 | 000,001,131 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk [2013.03.13 16:38:45 | 000,001,119 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk [2011.09.14 15:55:56 | 000,000,862 | ---- | C] () -- C:\Windows\Brpfx04a.ini [2011.09.14 15:55:56 | 000,000,153 | ---- | C] () -- C:\Windows\brpcfx.ini [2011.09.14 15:54:54 | 000,000,050 | ---- | C] () -- C:\Windows\System32\BRIDF10A.DAT [2011.09.14 15:54:46 | 000,000,000 | ---- | C] () -- C:\Windows\brdfxspd.dat [2011.08.08 17:20:30 | 000,000,467 | ---- | C] () -- C:\Windows\BRWMARK.INI [2011.05.16 13:31:44 | 000,008,592 | ---- | C] () -- C:\Windows\System32\ractrlkeyhook.dll [2011.04.18 16:42:43 | 000,028,672 | ---- | C] () -- C:\ProgramData\data.dll ========== ZeroAccess Check ========== [2009.07.14 05:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 05:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.20 13:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2009.07.14 02:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== Alternate Data Streams ========== @Alternate Data Stream - 608 bytes -> C:\Windows\System32\drivers\ynfablfc.sys:changelist @Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:15D5AA51 < End of report > Code:
ATTFilter OTL Extras logfile created on: 24.03.2013 12:45:18 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = D:\ Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000c07 | Country: Österreich | Language: DEA | Date Format: dd.MM.yyyy 1,99 Gb Total Physical Memory | 1,69 Gb Available Physical Memory | 84,90% Memory free 3,98 Gb Paging File | 3,70 Gb Available in Paging File | 92,91% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 74,43 Gb Total Space | 46,50 Gb Free Space | 62,47% Space Free | Partition Type: NTFS Drive D: | 1,95 Gb Total Space | 1,76 Gb Free Space | 90,41% Space Free | Partition Type: FAT32 Computer Name: SILBERNER_COMPU | User Name: Mama | Logged in as Administrator. Boot Mode: SafeMode | Scan Mode: All users Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation) .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation) [HKEY_USERS\S-1-5-21-2523976142-1527386152-3711227914-1004\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) http [open] -- Reg Error: Key error. https [open] -- Reg Error: Key error. inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "VistaSp1" = Reg Error: Unknown registry data type -- File not found "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 ========== Authorized Applications List ========== ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{0E5A49A0-07DD-44D4-99BE-3E65C9CA2A38}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | "{17517A28-A144-4B17-AB4C-C80CA96CC3B6}" = rport=137 | protocol=17 | dir=out | app=system | "{1AC35333-74DA-4FB0-BECC-0FEEAF61E22A}" = lport=26675 | protocol=6 | dir=in | name=@%systemroot%\windowsmobile\wmdcbase.exe,-4006 | "{218707BC-7A27-4501-B686-8F95C0A0D66E}" = lport=139 | protocol=6 | dir=in | app=system | "{247BE307-7889-4DE3-8100-458DD02212E8}" = lport=2869 | protocol=6 | dir=in | app=system | "{293FBB51-32D6-476C-9F47-818EB587244C}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{29B28BA2-4233-4A36-92C7-80C9AFC19970}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{3389958C-6DFE-495C-BD85-943A36E0CA58}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe | "{44809F11-9C4C-4D42-8418-0DC8E7DE2969}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{4FFD2189-77E1-4DFE-B2B4-6DEDEF7E8551}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | "{5224A80E-606C-4732-BA7C-BED151B06231}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{5536A025-1B8B-418F-B275-0F48D734C6EA}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | "{5FF25177-141B-4C34-83D2-57EF164BA51E}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | "{640D6093-7AA2-4960-A810-45DF5ED22B73}" = rport=445 | protocol=6 | dir=out | app=system | "{642AE6AD-F9D8-403A-B4DB-5AF4F53B5722}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{6F6D24E4-282F-4772-96D8-A0709EEA7B4D}" = lport=445 | protocol=6 | dir=in | app=system | "{76A75BB1-A0CC-44D7-ABC0-3E71742C49FA}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | "{78DAD64E-3F7E-413B-835A-C682784EFD05}" = lport=5721 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe | "{7E301C94-0D63-4BFD-B432-414925770C8B}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | "{7F6D0A15-4DB3-48C1-BC59-42A7C23A6173}" = lport=54925 | protocol=17 | dir=in | name=brothernetwork scanner | "{7F8160F0-1540-4FB1-96E5-B9D8C9F55D7B}" = lport=2869 | protocol=6 | dir=in | app=system | "{850774E4-8496-493A-A1A1-DE923F88630E}" = lport=137 | protocol=17 | dir=in | app=system | "{85FDC5AF-5441-4A48-AB16-7656E1A6B743}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | "{890A9543-DA3C-4740-9663-9D109751FCDD}" = lport=10243 | protocol=6 | dir=in | app=system | "{8E6E1B17-0A1E-47F9-82B3-2F472D43D32D}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe | "{B077329B-E49F-4204-9716-BAE6D389C337}" = rport=138 | protocol=17 | dir=out | app=system | "{C0527949-B56F-4E27-ADCA-E9E67A1956D6}" = lport=138 | protocol=17 | dir=in | app=system | "{C13E917B-0233-4C8E-88C5-2435B087DEDB}" = rport=139 | protocol=6 | dir=out | app=system | "{C50FC323-D7C3-41C5-B2B7-BA16322A5446}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{C8B9B028-6ADD-4370-9EF8-73005CB85F7D}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe | "{C8CBA394-F38D-49AA-955F-4A6733472466}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe | "{C9DD2C5E-9682-4C2E-82D8-CBB76239D51D}" = lport=26675 | protocol=6 | dir=in | name=@%systemroot%\windowsmobile\wmdcbase.exe,-4006 | "{D430B68F-D1A3-42D3-8B89-175C2E57E2FC}" = lport=5721 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe | "{DB20D932-3B42-4BE6-8031-FB4107598097}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | "{F89131AB-B238-46EA-A05D-083CF9EF36A3}" = rport=10243 | protocol=6 | dir=out | app=system | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{225F81B6-B0E8-4F32-895A-F3048740BBA8}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | "{22957FF5-5730-4798-9203-39077657B0CB}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe | "{233E7F6E-BBE0-4A21-83F8-FFA4F32D5C6E}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe | "{25263DA5-A30E-40D4-A077-B45975642571}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | "{3096B39F-0074-496A-8873-897CFCABD670}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe | "{3192ADCD-2F39-4C5B-9DCD-1E50AC16E3FF}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | "{31E5CDF4-7F55-4C18-891E-44C9BDC19447}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe | "{351BF145-B67B-4CFD-8706-71E2D0270C39}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | "{3D7B0E71-B4A5-47D4-8395-B7DBF77457E6}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe | "{4337939F-5566-44ED-9D36-8EC768965FC4}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{461C0AC0-4A27-4DD2-911B-7BC07813CB76}" = protocol=17 | dir=in | app=c:\programdata\battle.net\agent\agent.524\agent.exe | "{5453525A-1311-4C87-93A1-D1549709D470}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe | "{55131EE6-37FE-4033-A5DA-8153B8EBCCB3}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{57E3F4C0-C6CF-461D-8284-472DA7E62705}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe | "{616D8C02-8703-4957-98B6-15ED22C17B5E}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | "{6780D536-2DA8-4CEA-A6D5-28FC20304636}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{690210E6-297B-4C98-B471-24DC2B5746EE}" = protocol=6 | dir=in | app=c:\programdata\battle.net\agent\agent.524\agent.exe | "{6AC04FAD-E506-4D7A-AC84-7D40164D454D}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe | "{6FD2837A-D2B6-4B3C-8E5C-20C4B455AF78}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | "{7A264B74-77CF-452C-A1E7-85B095709F0D}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | "{7BDEFA74-0EC7-45DC-BE4E-001091B7F709}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | "{7E81E2EB-3C34-4F2B-A0CB-F7AFA8CB616A}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe | "{7FB307AD-E45E-4188-95B7-9673547AD03E}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{9913C77D-557D-4E87-875B-317791344329}" = protocol=6 | dir=out | app=system | "{9A8015C4-7FBE-46C9-9A9A-0DF830DEF91D}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{9D977E36-64CF-43F5-B47E-CE73C739A723}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe | "{A860A5DB-69CB-4058-A118-615D8BF9B2FC}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | "{BF586B06-2444-475B-AFBE-C3A7015B8AB6}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{C059DD34-7AC6-4DF8-A50B-44B844A9A837}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe | "{CF045FC2-98DD-4A27-9263-CFE341BC2289}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | "{CFF1B4D5-D12D-412A-B8C1-2071282AFC8E}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | "{D226EBF9-078A-47D1-B475-4CEA6A07AD10}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | "{D5704967-A7BA-4E15-A727-F856C47E8B39}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe | "{D8A35A59-EEBD-4A87-A583-02AF3722E360}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | "{E28EA137-ED3B-4512-B9ED-842A6FF2FCC4}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | "{ECAA6653-CA86-4AFB-BFE6-65570667C232}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | "TCP Query User{07C6419B-38AD-410B-ACF6-E5A59D271CB5}C:\program files\java\jre6\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files\java\jre6\bin\javaw.exe | "TCP Query User{2E90C5F3-3240-420D-A0CC-5966F4611A2B}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe | "TCP Query User{31BF0C6F-0225-45C2-BFCA-2F9CFD16100A}C:\program files\ts3 server\ts3server_win32.exe" = protocol=6 | dir=in | app=c:\program files\ts3 server\ts3server_win32.exe | "TCP Query User{739B81F6-BD95-4E1C-9158-2F1B63C4D96D}C:\program files\ts3 server\ts3server_win32.exe" = protocol=6 | dir=in | app=c:\program files\ts3 server\ts3server_win32.exe | "TCP Query User{9ED2E854-26DB-43A8-B11E-3C1441926FB4}E:\downloads\teamspeak3-server_win32\ts3server_win32.exe" = protocol=6 | dir=in | app=e:\downloads\teamspeak3-server_win32\ts3server_win32.exe | "UDP Query User{10F3B929-A2D7-473D-B6A5-EE6542E56E51}C:\program files\ts3 server\ts3server_win32.exe" = protocol=17 | dir=in | app=c:\program files\ts3 server\ts3server_win32.exe | "UDP Query User{16E42E10-0B14-44B4-947D-E936181A8401}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe | "UDP Query User{87F65B9A-36D4-41F7-8B2F-1A12505AB4E6}C:\program files\java\jre6\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files\java\jre6\bin\javaw.exe | "UDP Query User{B0D2A5B4-FE26-434F-A5D0-BA62A4E1CB03}E:\downloads\teamspeak3-server_win32\ts3server_win32.exe" = protocol=17 | dir=in | app=e:\downloads\teamspeak3-server_win32\ts3server_win32.exe | "UDP Query User{B6498552-1414-48AC-9DE6-7D65F17DFBC4}C:\program files\ts3 server\ts3server_win32.exe" = protocol=17 | dir=in | app=c:\program files\ts3 server\ts3server_win32.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID-Anmelde-Assistent "{08C8666B-C502-4AB3-B4CB-D74AC42D14FE}" = Nero BackItUp 10 Help (CHM) "{16987E99-C95C-4513-9239-7B44A0A71DB5}" = Nero SoundTrax 10 Help (CHM) "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer "{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{1F7FB68F-52F6-46A3-B42F-38CE46295AE5}" = Nero MediaHub 10 "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer "{237CCB62-8454-43E3-B158-3ACD0134852E}" = High-Definition Video Playback "{2436F2A8-4B7E-4B6C-AE4E-604C84AA6A4F}" = Nero Core Components 10 "{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 29 "{277C1559-4CF7-44FF-8D07-98AA9C13AABD}" = Nero Multimedia Suite 10 "{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform "{329411A0-19F3-4740-874F-17400B126F27}" = Nero Vision 10 Help (CHM) "{33643918-7957-4839-92C7-EA96CB621A98}" = Nero Express 10 Help (CHM) "{34490F4E-48D0-492E-8249-B48BECF0537C}" = Nero DiscSpeed 10 "{390DD8BB-BB57-4942-A029-2D913E4E9D74}" = Microsoft Security Client "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile "{40C4903E-EDFB-4CAE-A611-41FEBA585921}" = VTech Download Agent Library "{48D082B9-18F6-4426-AFAC-8B6A3E7021B1}" = Brother MFL-Pro Suite MFC-250C "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{523B2B1B-D8DB-4B41-90FF-C4D799E2758A}" = Nero ControlCenter 10 Help (CHM) "{555868C6-49FB-484F-BB43-8980651A1B00}" = Nero BurnRights 10 Help (CHM) "{586509F0-350D-48B5-B763-9CC2F8D96C4C}" = Windows Live Sync "{5F548A02-80BC-404D-BAE6-F05F9BF6B449}" = Nero DiscCopyGadget 10 Help (CHM) "{63AA3EAB-23BB-48B2-9AD0-44F878075604}" = Nero 10 Menu TemplatePack Basic "{63B7AC7E-0178-4F4F-A79B-08D97ADD02D7}" = System Requirements Lab for Intel "{65BB0407-4CC8-4DC7-952E-3EEFDF05602A}" = Nero Update "{66049135-9659-4AAD-9169-9CCA269EBB3E}" = Nero InfoTool 10 Help (CHM) "{6DFB899F-17A2-48F0-A533-ED8D6866CF38}" = Nero Control Center 10 "{70550193-1C22-445C-8FA4-564E155DB1A7}" = Nero Express 10 "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 "{7A295D8F-484B-4FFB-89AB-C1FD497591FE}" = Nero WaveEditor 10 Help (CHM) "{7A5D731D-B4B3-490E-B339-75685712BAAB}" = Nero Burning ROM 10 "{850C7BD3-9F3F-46AD-9396-E7985B38C55E}" = Windows Live Fotogalerie "{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8ECEC853-5C3D-4B10-B5C7-FF11FF724807}" = Nero Recode 10 "{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007 "{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007 "{90120000-0015-0407-0000-0000000FF1CE}_PROPLUS_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007 "{90120000-0016-0407-0000-0000000FF1CE}_PROPLUS_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007 "{90120000-0018-0407-0000-0000000FF1CE}_PROPLUS_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2007 "{90120000-0019-0407-0000-0000000FF1CE}_PROPLUS_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007 "{90120000-001A-0407-0000-0000000FF1CE}_PROPLUS_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007 "{90120000-001B-0407-0000-0000000FF1CE}_PROPLUS_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007 "{90120000-001F-0407-0000-0000000FF1CE}_PROPLUS_{928D7B99-2BEA-49F9-83B8-20FA57860643}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) "{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007 "{90120000-001F-0410-0000-0000000FF1CE}_PROPLUS_{A23BFC95-4A73-410F-9248-4C2B48E38C49}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) "{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007 "{90120000-0044-0407-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2007 "{90120000-0044-0407-0000-0000000FF1CE}_PROPLUS_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007 "{90120000-006E-0407-0000-0000000FF1CE}_PROPLUS_{A6353E8F-5B8D-47CC-8737-DFF032ED3973}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In "{92E25238-61A3-4ACD-A407-3C480EEF47A7}" = Nero RescueAgent 10 Help (CHM) "{92EC1A84-7FFC-42DF-A8F6-79C21C4765A5}" = Nero DiscCopy Gadget 10 "{942E5031-2BD6-4C1B-918C-C8A1CBAE7B8C}" = Microsoft IntelliPoint 8.2 "{943CFD7D-5336-47AF-9418-E02473A5A517}" = Nero BurnRights 10 "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{95120000-0122-0407-0000-0000000FF1CE}" = Microsoft Office Outlook Connector "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{9A4297F3-2A51-4ED9-92CA-4BCB8380947E}" = Nero Vision 10 "{9B6B24BE-80E7-46C4-9FA5-B167D5E0F345}" = Nero BurningROM 10 Help (CHM) "{9BD2DD45-8763-4F12-BDC6-958FCFEF0FCB}" = Microsoft IntelliType Pro 8.2 "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 "{A7496F46-78AE-4DB2-BCF5-95F210FA6F96}" = Windows Live Movie Maker "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.6) - Deutsch "{AED2DD42-9853-407E-A6BC-8A1D6B715909}" = Windows Live Messenger "{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR "{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0 "{B7607FC8-72AD-486D-B6B7-A402D5876309}" = PerfectDisk 11 Professional "{C18A0418-442A-4186-AF98-D08F5054A2FC}" = Nero DiscSpeed 10 Help (CHM) "{C3273C55-E1E4-41FF-8D69-0158090DB8D8}" = Nero CoverDesigner 10 Help (CHM) "{C3580AC4-C827-4332-B935-9A282ED5BB97}" = Nero Dolby Files 10 "{CAFA57E8-8927-4912-AFCF-B0AA3837E989}" = Windows Live Essentials "{D2041A37-5FEC-49F0-AE5C-3F2FFDFAA4F4}" = Windows Live Call "{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}" = Microsoft Primary Interoperability Assemblies 2005 "{DB7C1D4A-08BA-4C7E-A8AA-B7F9BB372DCF}" = Nero Recode 10 Help (CHM) "{E0A4805D-280A-4DD7-9E74-3A5F85E302A1}" = Windows Live Writer "{E1EE5339-5D32-458F-BAAB-B19F6301BCE2}" = Nero SoundTrax 10 "{E337E787-CF61-4B7B-B84F-509202A54023}" = Nero RescueAgent 10 "{EDCDFAD5-DF80-4600-A493-E9DAD6810230}" = Nero WaveEditor 10 "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU] "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard "{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5 "{F412B4AF-388C-4FF5-9B2F-33DB1C536953}" = Nero InfoTool 10 "{F467862A-D9CA-47ED-8D81-B4B3C9399272}" = Nero MediaHub 10 Help (CHM) "{F5CB822F-B365-43D1-BCC0-4FDA1A2017A7}" = Nero 10 Movie ThemePack Basic "{F6117F9C-ADB5-4590-9BE4-12C7BEC28702}" = Nero StartSmart 10 Help (CHM) "{F61D489E-6C44-49AC-AD02-7DA8ACA73A65}" = Nero StartSmart 10 "{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "{FB83EAC4-E3F6-4666-B45B-44522F2344B6}" = Brother MFL-Pro Suite MFC-J265W "{FCF00A6E-FB58-477A-ABE9-232907105521}" = Nero CoverDesigner 10 "Adobe AIR" = Adobe AIR "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin "CCleaner" = CCleaner "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "Microsoft IntelliPoint 8.2" = Microsoft IntelliPoint 8.2 "Microsoft IntelliType Pro 8.2" = Microsoft IntelliType Pro 8.2 "Microsoft Security Client" = Microsoft Security Essentials "Mozilla Firefox 19.0.2 (x86 de)" = Mozilla Firefox 19.0.2 (x86 de) "MozillaMaintenanceService" = Mozilla Maintenance Service "PROPLUS" = Microsoft Office Professional Plus 2007 "WinLiveSuite_Wave3" = Windows Live Essentials "WinRAR archiver" = WinRAR ========== Last 20 Event Log Errors ========== [ Application Events ] Error - 23.03.2013 06:56:38 | Computer Name = SILBERNER_COMPUTER | Source = Brother BrLog | ID = 1001 Description = STI BrtSTI: [2013/03/23 11:56:38.605]: [00001800]: GetDeviceIpAddress: GetAddressByName [BRW00225853B368] Error Error - 23.03.2013 06:57:13 | Computer Name = SILBERNER_COMPUTER | Source = Brother BrLog | ID = 1001 Description = STI BrtSTI: [2013/03/23 11:57:13.113]: [00001800]: GetDeviceIpAddress: GetAddressByName [BRW00225853B368] Error Error - 23.03.2013 06:57:47 | Computer Name = SILBERNER_COMPUTER | Source = Brother BrLog | ID = 1001 Description = STI BrtSTI: [2013/03/23 11:57:47.621]: [00001800]: GetDeviceIpAddress: GetAddressByName [BRW00225853B368] Error Error - 23.03.2013 06:58:22 | Computer Name = SILBERNER_COMPUTER | Source = Brother BrLog | ID = 1001 Description = STI BrtSTI: [2013/03/23 11:58:22.453]: [00001800]: GetDeviceIpAddress: GetAddressByName [BRW00225853B368] Error Error - 23.03.2013 06:58:57 | Computer Name = SILBERNER_COMPUTER | Source = Brother BrLog | ID = 1001 Description = STI BrtSTI: [2013/03/23 11:58:57.281]: [00001800]: GetDeviceIpAddress: GetAddressByName [BRW00225853B368] Error Error - 23.03.2013 06:59:32 | Computer Name = SILBERNER_COMPUTER | Source = Brother BrLog | ID = 1001 Description = STI BrtSTI: [2013/03/23 11:59:32.218]: [00001800]: GetDeviceIpAddress: GetAddressByName [BRW00225853B368] Error Error - 23.03.2013 07:00:07 | Computer Name = SILBERNER_COMPUTER | Source = Brother BrLog | ID = 1001 Description = STI BrtSTI: [2013/03/23 12:00:07.453]: [00001800]: GetDeviceIpAddress: GetAddressByName [BRW00225853B368] Error Error - 23.03.2013 07:02:00 | Computer Name = SILBERNER_COMPUTER | Source = Brother BrLog | ID = 1001 Description = STI BrtSTI: [2013/03/23 12:02:00.218]: [00001724]: GetDeviceIpAddress: GetAddressByName [BRW00225853B368] Error Error - 23.03.2013 07:02:36 | Computer Name = SILBERNER_COMPUTER | Source = Brother BrLog | ID = 1001 Description = STI BrtSTI: [2013/03/23 12:02:36.240]: [00001724]: GetDeviceIpAddress: GetAddressByName [BRW00225853B368] Error Error - 23.03.2013 08:17:53 | Computer Name = SILBERNER_COMPUTER | Source = Microsoft-Windows-CAPI2 | ID = 512 Description = Vom Kryptografiedienst konnte das VSS-Sicherungsobjekt "System Writer" nicht initialisiert werden. Details: Could not query the status of the EventSystem service. System Error: Der Computer wird heruntergefahren. . [ OSession Events ] Error - 02.06.2011 06:50:51 | Computer Name = thor3 | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6550.5004, Microsoft Office Version: 12.0.6425.1000. This session lasted 21 seconds with 0 seconds of active time. This session ended with a crash. Error - 31.12.2012 11:00:56 | Computer Name = SILBERNER_COMPUTER | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6665.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 936 seconds with 300 seconds of active time. This session ended with a crash. [ System Events ] Error - 24.03.2013 07:42:40 | Computer Name = SILBERNER_COMPUTER | Source = DCOM | ID = 10005 Description = Error - 24.03.2013 07:42:40 | Computer Name = SILBERNER_COMPUTER | Source = Service Control Manager | ID = 7001 Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068 Error - 24.03.2013 07:42:40 | Computer Name = SILBERNER_COMPUTER | Source = DCOM | ID = 10005 Description = Error - 24.03.2013 07:42:40 | Computer Name = SILBERNER_COMPUTER | Source = DCOM | ID = 10005 Description = Error - 24.03.2013 07:42:40 | Computer Name = SILBERNER_COMPUTER | Source = Service Control Manager | ID = 7023 Description = Der Dienst "Windows-Verwaltungsinstrumentation" wurde mit folgendem Fehler beendet: %%126 Error - 24.03.2013 07:43:10 | Computer Name = SILBERNER_COMPUTER | Source = Service Control Manager | ID = 7023 Description = Der Dienst "Windows-Verwaltungsinstrumentation" wurde mit folgendem Fehler beendet: %%126 Error - 24.03.2013 07:43:19 | Computer Name = SILBERNER_COMPUTER | Source = Service Control Manager | ID = 7001 Description = Der Dienst "Sicherheitscenter" ist vom Dienst "Windows-Verwaltungsinstrumentation" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%126 Error - 24.03.2013 07:43:19 | Computer Name = SILBERNER_COMPUTER | Source = Service Control Manager | ID = 7023 Description = Der Dienst "Windows-Verwaltungsinstrumentation" wurde mit folgendem Fehler beendet: %%126 Error - 24.03.2013 07:52:06 | Computer Name = SILBERNER_COMPUTER | Source = DCOM | ID = 10005 Description = Error - 24.03.2013 07:52:07 | Computer Name = SILBERNER_COMPUTER | Source = Microsoft Antimalware | ID = 2001 Description = Beim Aktualisieren der Signaturen wurde von %%860 ein Fehler festgestellt. Neue Signaturversion: Vorherige Signaturversion: 1.147.218.0 Aktualisierungsquelle: %%859 Aktualisierungsphase: %%852 Quellpfad: Default URL Signaturtyp: %%800 Aktualisierungstyp: %%803 Benutzer: NT-AUTORITÄT\SYSTEM Aktuelle Modulversion: Vorherige Modulversion: 1.1.9302.0 Fehlercode: 0x8007043c Fehlerbeschreibung: Der Dienst kann nicht im abgesicherten Modus gestartet werden. < End of report > |
24.03.2013, 15:28 | #4 |
/// TB-Ausbilder | Bundespolizei-Trojaner blockiert abgesicherten Modus Martin, deine Nero 10 Programme sind nicht legal erworben, ist das korrekt?
__________________ cheers, Leo |
24.03.2013, 15:45 | #5 |
| Bundespolizei-Trojaner blockiert abgesicherten Modus Das weiß ich leider nicht, da der PC früher meinem älteren Bruder gehörte. Ich benutze Nero nicht... |
24.03.2013, 19:50 | #6 | |
/// TB-Ausbilder | Bundespolizei-Trojaner blockiert abgesicherten Modus Hallo Martin, Zitat:
Wir suchen nicht gezielt nach solchen Hinweisen, aber wenn wir sie sehen, dann können wir nicht mehr beide Augen zudrücken. Deshalb: Cracks und Keygens Die Logfiles deuten stark darauf hin, dass du nicht legal erworbene Software einsetzt. Nebst ihrer Illegalität sind Cracks und Patches aus dubioser Quelle auch sehr oft mit Schädlingen versehen, womit man sich also fast schon vorsätzlich infiziert. Wir haben uns hier auf dem Board darauf geeinigt, dass wir an dieser Stelle nicht weiter bereinigen, da wir ein solches Vorgehen nicht unterstützen. Wir haben dich in unserer Anleitung unter Punkt 8 der Foren-Regeln auch unmissverständlich darauf hingewiesen, wie wir damit umgehen werden. Diese Software hat ihren Preis und die Softwarefirmen leben von diesen Einnahmen. Als Alternative gibt es überall jede Menge sehr gute Freeware oder abgespeckte, günstig zu erwerbende Versionen. Unsere Empfehlung hier lautet, einen sauberen Neuanfang zu vollziehen, und unsere Hilfe beschränkt sich daher auf das Neuaufsetzen und Absichern deines Systems. Fragen dazu beantworten wir dir aber weiterhin gerne und zwar in unserem Unterforum Alles rund um Windows. Auch wenn ich dir absolut glaube, dass das noch von deinem Bruder und nicht von dir stammt, bereinigen wir den Rechner in diesem Zustand nicht. Am besten, du sicherst jetzt alle deine Daten, welche noch kein Backup haben (am besten mit Linux Live-CD: http://www.trojaner-board.de/82533-d...ted-magic.html), und setzt den Rechner dann komplett neu auf. Zudem laufen bei dir auch noch krumme Treiber. Da ist auch nebst dem Sperrbildschirm noch etwas faul.
__________________ --> Bundespolizei-Trojaner blockiert abgesicherten Modus |
24.03.2013, 20:24 | #7 |
| Bundespolizei-Trojaner blockiert abgesicherten Modus Danke für die Antwort ! Ich habe natürlich vollstes Verständnis dafür, dass ihr in solchen Fällen nicht mehr weitermachen dürft, immerhin unterliegt das Forum auch den Gesetzen. Vielen Dank nochmal dafür, dass du mir bei dem Problem geholfen hast, ich werde den Rechner jetzt neu aufsetzen, die wichtigen Daten sind bereits gesichert, dahingehende Unterstützung brauche ich also nicht. |
24.03.2013, 20:37 | #8 |
/// TB-Ausbilder | Bundespolizei-Trojaner blockiert abgesicherten Modus Hallo Martin, ja, die Regeln diesbezüglich kann ich auch nicht ändern, danke fürs Verständnis. Wenn man den Rechner von jemand anderem übernimmt, ist es sowieso eine gute Idee, das System komplett neu aufzusetzen. Man weiss ja nie, was noch alles für Altlasten mitgekommen sind. Wenn Probleme oder Fragen bei der Neuinstallation auftauchen, dann melde dich einfach im angegebenen Unterforum. Dieses Thema ist erledigt und wird aus meinen Abos gelöscht. Ich bekomme somit keine Benachrichtigung mehr über neue Antworten. Jeder andere Hilfesuchende bitte diese Anleitung lesen und einen eigenen Thread erstellen.
__________________ cheers, Leo |
Themen zu Bundespolizei-Trojaner blockiert abgesicherten Modus |
abgesicherte, abgesicherten, abgesicherter modus nicht möglich, anleitung, bereits, blockiert, bundespolizei trojaner, eingabeaufforderung, explorer.exe, folge, folgender, funktioniert, gestartet, hoffe, logon, modus, netzwerk, problem, schonmal, schwarzer, shell, sperrt, stelle, troja, trojaner-board, winlogon, zugriff |