| |
| |||||||
Log-Analyse und Auswertung: Click to Continue > by Browse to to Save und http://searchiu.com/?affil=141 Startseite - MalwareWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
09.04.2013, 11:24
| #1 |
| |  Click to Continue > by Browse to to Save und http://searchiu.com/?affil=141 Startseite - Malware Hallo, mein Laptop scheint mit dem Browse to Save Virus befallen zu sein. Außerdem habe ich bei Firefox die Startseite "hxxp://searchiu.com/?affil=141", die ebenfalls Malware zu sein scheint. Die Startseite lässt sich nicht ändern. Egal ob man in den Firefoxoptionen die Startseite zurücksetzt oder andere Internetadressen eingibt, bleibt die Startseite trotzdem searchiu.com. Die Symtome des Browse to Save Virus sind ähnlich wie in diesem Thread. Auf jeglichen Internetseiten sind manche Wörter blau und unterstrichen und führen zu irgendwelchen Werbeseiten oder beim Mouseover wird ein Banner angezeigt. Außerdem werden Banner save to browse Banner einfach eingeblendet. Ich habe defogger, OTL, Gmer laufen lassen. Folgend die Logfiles: OTL.txt: Code:
ATTFilter OTL logfile created on: 09.04.2013 09:39:19 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\***\Desktop 64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 8.0.7601.17514) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 1,61 Gb Total Physical Memory | 0,56 Gb Available Physical Memory | 35,03% Memory free 3,21 Gb Paging File | 1,86 Gb Available in Paging File | 57,97% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 146,09 Gb Total Space | 29,98 Gb Free Space | 20,52% Space Free | Partition Type: NTFS Drive D: | 152,00 Gb Total Space | 55,97 Gb Free Space | 36,82% Space Free | Partition Type: NTFS Computer Name: ***-ASUS | User Name: *** | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.04.09 09:37:44 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\***\Desktop\OTL.exe PRC - [2013.03.12 09:05:50 | 029,106,336 | ---- | M] (Dropbox, Inc.) -- C:\Users\***\AppData\Roaming\Dropbox\bin\Dropbox.exe PRC - [2013.02.23 03:36:04 | 000,545,576 | ---- | M] (AnchorFree Inc.) -- C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe PRC - [2013.02.23 03:33:26 | 000,389,928 | ---- | M] () -- C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe PRC - [2013.02.23 03:29:46 | 000,453,928 | ---- | M] (AnchorFree Inc.) -- C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe PRC - [2013.02.08 11:46:24 | 001,320,768 | ---- | M] (Spigot, Inc.) -- C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe PRC - [2012.08.16 03:47:40 | 000,348,664 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe PRC - [2012.05.08 13:58:23 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe PRC - [2012.05.08 13:58:22 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe PRC - [2011.12.21 16:40:56 | 000,578,264 | ---- | M] (Pandora.TV) -- C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe PRC - [2011.05.24 11:33:30 | 001,840,128 | ---- | M] (MAGIX AG) -- C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe PRC - [2011.01.17 19:50:34 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe PRC - [2011.01.17 19:50:34 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin PRC - [2010.07.09 23:45:00 | 000,984,400 | ---- | M] (Virage Logic Corporation / Sonic Focus) -- C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe ========== Modules (No Company Name) ========== MOD - [2012.01.10 13:38:49 | 000,985,088 | ---- | M] () -- C:\Program Files (x86)\OpenOffice.org 3\program\libxml2.dll MOD - [2011.11.02 00:26:32 | 000,087,912 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll MOD - [2011.11.02 00:26:12 | 001,242,472 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll ========== Services (SafeList) ========== SRV:64bit: - [2011.11.10 05:11:32 | 000,204,288 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility) SRV:64bit: - [2011.11.09 23:08:52 | 000,361,984 | ---- | M] (Advanced Micro Devices, Inc.) [Auto | Running] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe -- (AMD FUEL Service) SRV - [2013.04.04 13:40:23 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2013.04.03 18:17:32 | 000,474,112 | ---- | M] () [Auto | Stopped] -- C:\Program Files (x86)\SoftwareUpdater\SystemStore.exe -- (SystemStoreService) SRV - [2013.03.14 13:51:48 | 000,253,656 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013.02.23 03:36:04 | 000,545,576 | ---- | M] (AnchorFree Inc.) [Auto | Running] -- C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe -- (hshld) SRV - [2013.02.23 03:33:26 | 000,389,928 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe -- (HssWd) SRV - [2013.02.23 03:29:46 | 000,453,928 | ---- | M] (AnchorFree Inc.) [Auto | Running] -- C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe -- (HssSrv) SRV - [2013.02.22 03:54:48 | 000,078,512 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE -- (HssTrayService) SRV - [2012.05.08 13:58:23 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2012.05.08 13:58:22 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2011.12.21 16:40:56 | 000,578,264 | ---- | M] (Pandora.TV) [Auto | Running] -- C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe -- (PanService) SRV - [2011.05.24 11:33:30 | 001,840,128 | ---- | M] (MAGIX AG) [Auto | Running] -- C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe -- (Fabs) SRV - [2011.04.26 14:54:12 | 002,702,848 | ---- | M] (MAGIX®) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe -- (FirebirdServerMAGIXInstance) SRV - [2010.03.18 14:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2009.06.10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) ========== Driver Services (SafeList) ========== DRV:64bit: - [2013.02.22 03:53:00 | 000,042,184 | ---- | M] (Anchorfree Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\taphss6.sys -- (taphss6) DRV:64bit: - [2013.02.22 03:43:20 | 000,046,280 | ---- | M] (AnchorFree Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\hssdrv6.sys -- (HssDRV6) DRV:64bit: - [2012.08.01 20:13:40 | 000,038,632 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\taphss.sys -- (taphss) DRV:64bit: - [2012.06.23 13:41:00 | 000,283,200 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\dtsoftbus01.sys -- (dtsoftbus01) DRV:64bit: - [2012.05.27 15:52:29 | 000,118,400 | ---- | M] (VSO Software) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ezplay.sys -- (ezplay) DRV:64bit: - [2012.05.08 13:58:23 | 000,132,832 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avipbb.sys -- (avipbb) DRV:64bit: - [2012.05.08 13:58:23 | 000,098,848 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\avgntflt.sys -- (avgntflt) DRV:64bit: - [2012.03.01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:64bit: - [2011.12.19 16:41:32 | 000,029,288 | ---- | M] (Wondershare) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WsAudio_DeviceS(5).sys -- (WsAudio_DeviceS(5) DRV:64bit: - [2011.12.19 16:41:32 | 000,029,288 | ---- | M] (Wondershare) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WsAudio_DeviceS(4).sys -- (WsAudio_DeviceS(4) DRV:64bit: - [2011.12.19 16:41:32 | 000,029,288 | ---- | M] (Wondershare) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WsAudio_DeviceS(3).sys -- (WsAudio_DeviceS(3) DRV:64bit: - [2011.12.19 16:41:32 | 000,029,288 | ---- | M] (Wondershare) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WsAudio_DeviceS(2).sys -- (WsAudio_DeviceS(2) DRV:64bit: - [2011.12.19 16:41:32 | 000,029,288 | ---- | M] (Wondershare) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WsAudio_DeviceS(1).sys -- (WsAudio_DeviceS(1) DRV:64bit: - [2011.12.15 16:00:00 | 000,027,760 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avkmgr.sys -- (avkmgr) DRV:64bit: - [2011.11.10 05:45:30 | 010,567,680 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag) DRV:64bit: - [2011.11.10 04:12:44 | 000,325,632 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap) DRV:64bit: - [2011.08.02 18:38:56 | 000,051,712 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64) DRV:64bit: - [2011.06.26 02:56:44 | 000,033,888 | ---- | M] (Applian Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\appliand.sys -- (appliandMP) DRV:64bit: - [2011.06.26 02:56:44 | 000,033,888 | ---- | M] (Applian Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\appliand.sys -- (appliand) DRV:64bit: - [2011.03.07 12:22:46 | 002,228,736 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr) DRV:64bit: - [2011.03.04 17:16:20 | 000,436,840 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167) DRV:64bit: - [2011.01.15 18:21:04 | 000,036,352 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VClone.sys -- (VClone) DRV:64bit: - [2010.11.20 15:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2010.11.20 15:32:47 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2010.11.20 15:32:46 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2010.11.20 13:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:64bit: - [2010.11.04 12:52:54 | 000,038,016 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amd_xata.sys -- (amd_xata) DRV:64bit: - [2010.11.04 12:52:52 | 000,075,904 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amd_sata.sys -- (amd_sata) DRV:64bit: - [2010.02.18 10:18:24 | 000,046,136 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\amdiox64.sys -- (amdiox64) DRV:64bit: - [2009.07.14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009.07.14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009.07.14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009.06.10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009.06.10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009.06.10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:64bit: - [2009.06.10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV:64bit: - [2009.05.18 14:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM) DRV - [2009.07.14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://u-search.net/?a=1&e=1 IE - HKLM\..\SearchScopes,DefaultScope = {819218B0-1380-4BA2-89C3-E1BCF2DF5D69} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\..\SearchScopes\{819218B0-1380-4BA2-89C3-E1BCF2DF5D69}: "URL" = hxxp://u-search.net/?a=1&e=1&q={searchTerms} IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0A 1F 46 DD EF C0 CD 01 [binary data] IE - HKCU\..\URLSearchHook: {B922D405-6D13-4A2B-AE89-08A030DA4402} - No CLSID value found IE - HKCU\..\SearchScopes,DefaultScope = {819218B0-1380-4BA2-89C3-E1BCF2DF5D69} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\..\SearchScopes\{605D08E1-0E4D-4DEC-B3BD-D982C37638F1}: "URL" = hxxp://de.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=827316&p={searchTerms} IE - HKCU\..\SearchScopes\{819218B0-1380-4BA2-89C3-E1BCF2DF5D69}: "URL" = hxxp://u-search.net/?a=1&e=1&q={searchTerms} IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = ftp=204.124.180.101:3128;http=204.124.180.101:3128;https=204.124.180.101:3128;socks=204.124.180.101:3128 ========== FireFox ========== FF - prefs.js..browser.search.defaultengine: "u-Search" FF - prefs.js..browser.search.defaultenginename: "u-Search" FF - prefs.js..browser.search.defaultenginename,S: S", "" FF - prefs.js..browser.search.defaultthis.engineName: "" FF - prefs.js..browser.search.defaulturl: "hxxp://u-search.net/?a=1&e=2&q=" FF - prefs.js..browser.search.order.1: "u-Search" FF - prefs.js..browser.search.order.1,S: S", "" FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=827316&ilc=12" FF - prefs.js..browser.search.selectedEngine: "Google" FF - prefs.js..browser.search.selectedEngine,S: S", "" FF - prefs.js..extensions.enabledAddons: %7Bb749fc7c-e949-447f-926c-3f4eed6accfe%7D:0.7.1.1 FF - prefs.js..extensions.enabledAddons: unplug%40compunach:2.054 FF - prefs.js..extensions.enabledAddons: foxyproxy%40eric.h.jung:4.2 FF - prefs.js..extensions.enabledAddons: groovesharkUnlocker%40overlord1337:1.3.2 FF - prefs.js..extensions.enabledAddons: %7Bb9db16a4-6edc-47ec-a1f4-b86292ed211d%7D:4.9.14 FF - prefs.js..extensions.enabledAddons: addon%40foxtab.com:1.4.51 FF - prefs.js..extensions.enabledAddons: ich%40maltegoetz.de:1.4.8 FF - prefs.js..extensions.enabledAddons: adonis.cuhk%40gmail.com:1.8.5 FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:20.0 FF - prefs.js..network.proxy.socks_remote_dns: true FF - prefs.js..network.proxy.type: 0 FF - prefs.js..sweetim.toolbar.previous.browser.search.defaultenginename: "" FF - prefs.js..sweetim.toolbar.previous.browser.search.selectedEngine: "" FF - prefs.js..browser.startup.homepage: "" FF - prefs.js..sweetim.toolbar.previous.keyword.URL: "" FF - prefs.js..keyword.URL: "hxxp://u-search.net/?a=1&e=2&q=" FF - prefs.js..browser.startup.homepage: "hxxp://u-search.net/?a=1&e=1" FF - user.js..browser.search.defaultengine: "u-Search" FF - user.js..browser.search.defaultenginename: "u-Search" FF - user.js..browser.search.order.1: "u-Search" FF - user.js..browser.startup.homepage: "hxxp://u-search.net/?a=1&e=1" FF - user.js..browser.search.defaulturl: "hxxp://u-search.net/?a=1&e=2&q=" FF - user.js..keyword.URL: "hxxp://u-search.net/?a=1&e=2&q=" FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_6_602_180.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products Ltd.) FF:64bit: - HKLM\Software\MozillaPlugins\@tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products Ltd.) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll () FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1168638.dll (Adobe Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll File not found FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_33: C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=1.1.11: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (the VideoLAN Team) FF - HKCU\Software\MozillaPlugins\@phonostar.de/phonostar: C:\Program Files (x86)\phonostar-Player\npphonostarDetectNP.dll File not found FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013.04.04 13:40:28 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.4\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2013.03.14 22:01:32 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.4\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 20.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013.04.04 13:40:28 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 20.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Thunderbird 17.0.4\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2013.03.14 22:01:32 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Thunderbird 17.0.4\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins [2011.12.31 13:50:44 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Extensions [2013.04.08 18:13:21 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\e0e7iwdh.default\extensions [2013.02.23 17:43:06 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\e0e7iwdh.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2013.04.03 23:24:32 | 000,000,000 | ---D | M] (FoxTab) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\e0e7iwdh.default\extensions\addon@foxtab.com [2013.02.17 19:32:24 | 000,000,000 | ---D | M] (FoxyProxy Standard) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\e0e7iwdh.default\extensions\foxyproxy@eric.h.jung [2013.04.06 10:21:36 | 000,000,000 | ---D | M] (ProxTube - Unblock YouTube) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\e0e7iwdh.default\extensions\ich@maltegoetz.de [2013.04.04 18:10:20 | 000,000,000 | ---D | M] (BRowsE2soave) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\e0e7iwdh.default\extensions\oyoe1-iea@vqtgk-aie.com [2013.04.08 18:13:21 | 000,005,781 | ---- | M] () (No name found) -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\e0e7iwdh.default\extensions\adonis.cuhk@gmail.com.xpi [2013.02.23 17:43:06 | 000,029,064 | ---- | M] () (No name found) -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\e0e7iwdh.default\extensions\groovesharkUnlocker@overlord1337.xpi [2013.01.28 19:32:37 | 000,142,907 | ---- | M] () (No name found) -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\e0e7iwdh.default\extensions\unplug@compunach.xpi [2013.03.14 16:35:17 | 000,552,809 | ---- | M] () (No name found) -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\e0e7iwdh.default\extensions\uriloader@pdf.js.xpi [2012.09.17 15:57:22 | 000,061,705 | ---- | M] () (No name found) -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\e0e7iwdh.default\extensions\{b749fc7c-e949-447f-926c-3f4eed6accfe}.xpi [2013.02.14 22:26:47 | 000,817,280 | ---- | M] () (No name found) -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\e0e7iwdh.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2012.03.10 11:05:17 | 000,001,210 | ---- | M] () -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\e0e7iwdh.default\searchplugins\search.xml [2012.09.29 11:03:39 | 000,003,915 | ---- | M] () -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\e0e7iwdh.default\searchplugins\sweetim.xml [2012.09.12 22:40:57 | 000,002,017 | ---- | M] () -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\e0e7iwdh.default\searchplugins\u-search.xml [2013.04.04 13:39:00 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions [2013.04.04 13:39:07 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2013.04.04 13:38:59 | 000,000,000 | ---D | M] (Hotspot Shield Helper (Please allow this installation)) -- C:\Program Files (x86)\mozilla firefox\extensions\afurladvisor@anchorfree.com [2013.04.04 13:40:26 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll [2011.12.21 07:08:50 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.08.31 16:08:41 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml [2011.12.21 07:08:50 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml [2011.12.21 07:08:50 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml [2011.12.21 07:08:50 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml [2011.12.21 07:08:50 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml ========== Chrome ========== CHR - Extension: BRowsE2soave = C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Extensions\omijpafilmeabcfknpnecgdnmpooanie\1\ O1 HOSTS File: ([2009.06.10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O2:64bit: - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE_64.dll (AnchorFree Inc.) O2 - BHO: (BRowsE2soave) - {2AF83333-6EB3-0F49-434E-A97D72D7C58D} - C:\ProgramData\BRowsE2soave\515da54828573.dll () O2 - BHO: (FoxTab) - {4DF4AC8C-FFA8-40FF-91F0-EB8389314B78} - C:\Users\***\AppData\LocalLow\FoxTab\IE\FoxTab.dll (The FoxTab Team) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (no name) - {B922D405-6D13-4A2B-AE89-08A030DA4402} - No CLSID value found. O2 - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE.dll (AnchorFree Inc.) O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EEE6C35B-6118-11DC-9C72-001320C79847} - No CLSID value found. O4:64bit: - HKLM..\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe (Realtek Semiconductor) O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor) O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [Aimersoft Helper Compact.exe] C:\Program Files (x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe File not found O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.) O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [iSkysoft Helper Compact.exe] C:\Program Files (x86)\Common Files\iSkysoft\iSkysoft Helper Compact\ISHelper.exe File not found O4 - HKLM..\Run: [SearchSettings] C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe (Spigot, Inc.) O4 - HKLM..\Run: [SonicMasterTray] C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe (Virage Logic Corporation / Sonic Focus) O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.) O4 - HKCU..\Run: [phonostar-Player] C:\Program Files (x86)\phonostar-Player\phonostarStarter.exe File not found O4 - HKCU..\Run: [Torrent2Exe[a9ef6dee1c772f6dbd50c99b4a0bd4dd968b7ec3]] D:\hdr\The_Lord_of_the_Rings__The_Fellowship_of_the_Ring_10.exe File not found O4 - Startup: C:\Users\***\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\***\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.) O4 - Startup: C:\Users\***\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000005 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.) O1364bit: - gopher Prefix: missing O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33) O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22) O16 - DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.27.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{33E17A7B-286B-45FF-8D95-B8E47C0E083F}: DhcpNameServer = 192.168.27.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FC3A2165-EDC6-4E1A-AE4A-FC43A9BD1989}: DhcpNameServer = 192.168.10.33 O20 - AppInit_DLLs: (c:\progra~2\browse~1\sprote~1.dll) - c:\progra~2\browse~1\sprote~1.dll () O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O33 - MountPoints2\{561c0e3b-a1ab-11e1-8b04-5404a671f5a2}\Shell - "" = AutoRun O33 - MountPoints2\{561c0e3b-a1ab-11e1-8b04-5404a671f5a2}\Shell\AutoRun\command - "" = G:\AUTORUN.EXE O33 - MountPoints2\{74b76b2b-33c6-11e1-b9a2-806e6f6e6963}\Shell - "" = AutoRun O33 - MountPoints2\{74b76b2b-33c6-11e1-b9a2-806e6f6e6963}\Shell\AutoRun\command - "" = E:\InstAll.exe O33 - MountPoints2\{a5b73620-9787-11e1-88a0-7ede2bd680d8}\Shell - "" = AutoRun O33 - MountPoints2\{a5b73620-9787-11e1-88a0-7ede2bd680d8}\Shell\AutoRun\command - "" = G:\AUTORUN.EXE O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013.04.09 09:37:35 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\***\Desktop\OTL.exe [2013.04.07 15:10:41 | 000,000,000 | ---D | C] -- C:\Users\***\Documents\ConvertXToDVD [2013.04.04 18:11:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Fraps [2013.04.04 18:10:12 | 000,000,000 | ---D | C] -- C:\ProgramData\SoftSafe [2013.04.04 18:08:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\BrowseToSave [2013.04.04 18:08:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BRowsE2soave [2013.04.04 18:08:29 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Local\Google [2013.04.04 18:08:29 | 000,000,000 | ---D | C] -- C:\ProgramData\BRowsE2soave [2013.04.04 18:07:52 | 000,000,000 | ---D | C] -- C:\ProgramData\InstallMate [2013.04.04 17:08:55 | 000,000,000 | ---D | C] -- C:\Fraps [2013.04.04 13:38:44 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox [2013.04.03 23:45:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Freemium TubeBox [2013.04.03 23:45:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Freemium [2013.04.03 23:14:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SelfUpdater [2013.04.03 22:36:10 | 000,000,000 | -HSD | C] -- C:\Config.Msi [2013.04.03 22:33:32 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Local\IsolatedStorage [2013.04.03 22:32:46 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Roaming\Freemium [2013.04.03 22:32:44 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Local\Freemium TubeBox [2013.04.03 22:32:17 | 000,000,000 | ---D | C] -- C:\Users\***\Desktop\Freemium TubeBox 3.6.1 Portable [2013.04.03 20:43:53 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Roaming\Ashampoo [2013.04.03 20:43:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Ashampoo [2013.04.03 18:17:00 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Local\Freetec [2013.04.03 18:16:58 | 000,000,000 | ---D | C] -- C:\Users\***\Documents\TubeBox [2013.04.03 18:15:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SoftwareUpdater [2013.04.03 18:10:39 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Local\DownloadGuide [2013.03.14 22:01:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Thunderbird [2013.03.14 15:35:48 | 000,000,000 | ---D | C] -- C:\Users\***\Documents\Video deluxe 2013 [2013.03.14 15:35:46 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Roaming\MAGIX [2013.03.14 15:10:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MAGIX [2013.03.14 15:10:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\MAGIX Shared [2013.03.14 15:08:18 | 000,000,000 | ---D | C] -- C:\Programme (x86) [2013.03.14 15:06:52 | 000,000,000 | ---D | C] -- C:\ProgramData\MAGIX [2013.03.14 15:06:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\MAGIX Services [2013.03.14 15:06:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MSXML 4.0 [2013.03.10 17:24:11 | 000,086,016 | ---- | C] (MindVision Software) -- C:\Windows\unvise32.exe [2013.03.10 17:24:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Postal 2 [2013.03.10 17:19:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Postal2 [2012.05.27 15:52:29 | 000,118,400 | ---- | C] (VSO Software) -- C:\Users\***\AppData\Roaming\ezplay.sys ========== Files - Modified Within 30 Days ========== [2013.04.09 09:42:26 | 000,014,208 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013.04.09 09:42:26 | 000,014,208 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013.04.09 09:40:09 | 001,612,484 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2013.04.09 09:40:09 | 000,696,870 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2013.04.09 09:40:09 | 000,652,148 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2013.04.09 09:40:09 | 000,148,134 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2013.04.09 09:40:09 | 000,121,080 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2013.04.09 09:37:44 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\***\Desktop\OTL.exe [2013.04.09 09:33:51 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.04.09 09:33:35 | 1292,673,024 | -HS- | M] () -- C:\hiberfil.sys [2013.04.09 09:32:10 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013.04.09 09:31:16 | 000,000,188 | ---- | M] () -- C:\Users\***\defogger_reenable [2013.04.09 09:26:21 | 000,050,477 | ---- | M] () -- C:\Users\***\Desktop\Defogger.exe [2013.04.08 22:38:29 | 000,017,308 | ---- | M] () -- C:\Users\***\Documents\Schriftliche Äußerung zum Sachverhalt.odt [2013.04.08 07:36:08 | 000,001,189 | ---- | M] () -- C:\Users\***\AppData\Roaming\vso_ts_preview.xml [2013.04.05 22:26:06 | 000,000,443 | ---- | M] () -- C:\Windows\cedt.INI [2013.04.04 18:11:36 | 000,000,562 | ---- | M] () -- C:\Users\Public\Desktop\Fraps.lnk [2013.04.03 23:45:56 | 000,001,052 | ---- | M] () -- C:\Users\Public\Desktop\Freemium TubeBox.lnk [2013.04.03 23:36:16 | 000,001,049 | ---- | M] () -- C:\Users\***\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2013.04.03 23:35:49 | 000,001,015 | ---- | M] () -- C:\Users\***\Desktop\Dropbox.lnk [2013.03.18 16:31:02 | 000,942,027 | ---- | M] () -- C:\Users\***\Documents\Von Schengen nach Maastricht.odt [2013.03.18 08:07:31 | 000,294,099 | ---- | M] () -- C:\Users\***\Desktop\Von Schengen nach Maastricht.pdf [2013.03.15 21:16:25 | 268,259,728 | ---- | M] () -- C:\Users\***\Desktop\video.mp4 [2013.03.15 17:55:18 | 000,002,112 | ---- | M] () -- C:\Users\***\.recently-used.xbel [2013.03.15 17:49:11 | 000,210,913 | ---- | M] () -- C:\Users\***\Documents\Lissabonner Vertrag.jpg [2013.03.15 17:43:14 | 000,295,624 | ---- | M] () -- C:\Users\***\Documents\Lissabonner Vertrag.pdf [2013.03.15 17:19:38 | 000,062,320 | ---- | M] () -- C:\Users\***\Documents\Von Schengen nach Maastricht.pdf [2013.03.14 17:59:32 | 000,419,120 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT [2013.03.14 15:12:04 | 000,120,200 | ---- | M] () -- C:\Windows\SysWow64\DLLDEV32i.dll [2013.03.14 15:10:48 | 000,000,972 | ---- | M] () -- C:\Users\Public\Desktop\MAGIX Video deluxe 2013.lnk [2013.03.11 21:47:03 | 000,000,103 | -H-- | M] () -- C:\Users\***\Desktop\.~lock.deutschlisa.odt# [2013.03.11 18:19:52 | 006,388,093 | ---- | M] () -- C:\Users\***\Documents\Cannabis.odp ========== Files Created - No Company Name ========== [2013.04.09 09:31:16 | 000,000,188 | ---- | C] () -- C:\Users\***\defogger_reenable [2013.04.09 09:26:08 | 000,050,477 | ---- | C] () -- C:\Users\***\Desktop\Defogger.exe [2013.04.08 19:11:18 | 000,017,308 | ---- | C] () -- C:\Users\***\Documents\Schriftliche Äußerung zum Sachverhalt.odt [2013.04.04 18:11:36 | 000,000,562 | ---- | C] () -- C:\Users\Public\Desktop\Fraps.lnk [2013.04.03 23:45:56 | 000,001,052 | ---- | C] () -- C:\Users\Public\Desktop\Freemium TubeBox.lnk [2013.03.18 08:07:27 | 000,294,099 | ---- | C] () -- C:\Users\***\Desktop\Von Schengen nach Maastricht.pdf [2013.03.15 19:49:55 | 268,259,728 | ---- | C] () -- C:\Users\***\Desktop\video.mp4 [2013.03.15 17:55:18 | 000,002,112 | ---- | C] () -- C:\Users\***\.recently-used.xbel [2013.03.15 17:43:09 | 000,295,624 | ---- | C] () -- C:\Users\***\Documents\Lissabonner Vertrag.pdf [2013.03.15 17:38:10 | 000,210,913 | ---- | C] () -- C:\Users\***\Documents\Lissabonner Vertrag.jpg [2013.03.15 17:10:22 | 000,062,320 | ---- | C] () -- C:\Users\***\Documents\Von Schengen nach Maastricht.pdf [2013.03.14 17:40:20 | 000,942,027 | ---- | C] () -- C:\Users\***\Documents\Von Schengen nach Maastricht.odt [2013.03.14 15:10:48 | 000,000,972 | ---- | C] () -- C:\Users\Public\Desktop\MAGIX Video deluxe 2013.lnk [2013.03.11 21:47:03 | 000,000,103 | -H-- | C] () -- C:\Users\***\Desktop\.~lock.deutschlisa.odt# [2013.03.11 18:19:41 | 006,388,093 | ---- | C] () -- C:\Users\***\Documents\Cannabis.odp [2012.12.01 15:34:13 | 000,000,244 | ---- | C] () -- C:\Users\***\.swfinfo [2012.11.08 18:27:35 | 000,237,568 | ---- | C] () -- C:\Windows\SysWow64\rmc_rtspdl.dll [2012.09.29 09:49:55 | 000,107,520 | RHS- | C] () -- C:\Windows\SysWow64\TAKDSDecoder.dll [2012.09.23 18:20:56 | 000,001,189 | ---- | C] () -- C:\Users\***\AppData\Roaming\vso_ts_preview.xml [2012.09.11 18:56:48 | 000,000,024 | ---- | C] () -- C:\Windows\Medi8or.ini [2012.09.11 18:56:36 | 000,001,304 | ---- | C] () -- C:\Windows\mediator.dat [2012.08.10 19:15:22 | 000,000,142 | ---- | C] () -- C:\Windows\SIERRA.INI [2012.06.16 17:31:43 | 000,000,040 | -HS- | C] () -- C:\ProgramData\.zreglib [2012.05.27 15:52:29 | 000,099,384 | ---- | C] () -- C:\Users\***\AppData\Roaming\inst.exe [2012.05.27 15:52:29 | 000,007,833 | ---- | C] () -- C:\Users\***\AppData\Roaming\ezplay.cat [2012.05.27 15:52:29 | 000,001,126 | ---- | C] () -- C:\Users\***\AppData\Roaming\ezplay.inf [2012.05.27 15:52:29 | 000,000,125 | ---- | C] () -- C:\Users\***\AppData\Roaming\ezplay.ini [2012.05.20 12:13:14 | 000,000,521 | ---- | C] () -- C:\Windows\eReg.dat [2012.04.09 19:43:38 | 000,004,608 | ---- | C] () -- C:\Users\***\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2012.02.26 12:27:34 | 000,032,256 | ---- | C] () -- C:\Windows\SysWow64\AVSredirect.dll [2012.02.05 18:51:36 | 001,590,378 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2012.01.04 19:29:02 | 000,000,443 | ---- | C] () -- C:\Windows\cedt.INI [2012.01.04 03:06:23 | 000,108,032 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll [2012.01.02 20:28:49 | 000,006,160 | ---- | C] () -- C:\Users\***\AppData\Roaming\gd.db [2012.01.02 20:28:49 | 000,000,242 | ---- | C] () -- C:\Users\***\AppData\Roaming\groovedown.settings [2011.12.31 20:40:04 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin [2011.11.10 04:36:06 | 000,204,960 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat [2011.11.10 04:36:06 | 000,157,152 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat [2011.11.09 23:39:44 | 000,059,904 | ---- | C] () -- C:\Windows\SysWow64\OpenVideo.dll [2011.11.09 23:39:32 | 000,054,784 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll [2011.09.13 01:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat ========== ZeroAccess Check ========== [2009.07.14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2012.06.09 07:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 06:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.20 14:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] ========== LOP Check ========== [2012.02.26 18:34:04 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\AnvSoft [2013.04.03 20:43:53 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Ashampoo [2013.02.22 23:34:11 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Audacity [2013.03.06 12:57:09 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\avidemux [2012.02.26 12:16:41 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Babylon [2012.05.20 11:10:41 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Canneverbe Limited [2012.11.09 17:34:18 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\DAEMON Tools Lite [2012.12.16 15:57:39 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Dev-Cpp [2012.09.22 10:33:33 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Digiarty [2013.04.09 09:35:05 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Dropbox [2012.12.04 16:47:32 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\DVDVideoSoft [2012.11.08 13:01:41 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\EurekaLog [2013.04.07 01:54:05 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\FileZilla [2013.04.03 23:45:19 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Freemium [2012.12.17 15:10:09 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\FreeMoviesToDVD [2012.09.12 22:40:58 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Groovedown [2012.09.12 22:40:58 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Groovedown_Uninstall [2013.03.15 17:55:18 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\gtk-2.0 [2012.06.16 15:20:06 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\ImgBurn [2012.01.02 20:28:49 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\lang [2013.03.14 15:35:58 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\MAGIX [2012.01.10 13:45:27 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\OpenOffice.org [2013.02.27 12:36:36 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\pdfforge [2012.10.21 00:05:48 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\phonostar GmbH [2012.11.08 13:17:01 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Replay Media Catcher 4 [2012.01.10 14:48:33 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Thunderbird [2013.04.08 06:45:29 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Vso ========== Purity Check ========== < End of report > Code:
ATTFilter OTL Extras logfile created on: 09.04.2013 09:39:19 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\***\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
1,61 Gb Total Physical Memory | 0,56 Gb Available Physical Memory | 35,03% Memory free
3,21 Gb Paging File | 1,86 Gb Available in Paging File | 57,97% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 146,09 Gb Total Space | 29,98 Gb Free Space | 20,52% Space Free | Partition Type: NTFS
Drive D: | 152,00 Gb Total Space | 55,97 Gb Free Space | 36,82% Space Free | Partition Type: NTFS
Computer Name: ***-ASUS | User Name: *** | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01F4DA35-93B4-4EE5-8F07-D20F5C2DEB99}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{0A47694A-0592-4932-911C-255363211CB2}" = rport=10243 | protocol=6 | dir=out | app=system |
"{0FD74214-A025-4B9F-ABAD-A18BA73A5F60}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{11FED726-D47A-408E-83F9-9F9EEE66BB1A}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{1688719C-99CB-4FF3-A511-43EC4F897E9B}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{1722B74A-8693-4349-BCEF-D9F46D241517}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{1B024AB0-8D11-403A-9B76-BE6E8383F664}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{1F08706C-202D-48E2-AE47-66883BC40C19}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{20C473B9-8D48-4755-BCDF-9F464BF818EC}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{25E98F3E-2D47-4A09-B433-785EA9CB1245}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{32DB14E4-57A6-4A3F-9FCD-553412C2F6C9}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{3CF1C591-94F8-4753-BE82-562A3DC3531F}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{3F15C3AB-7FB7-4E9D-8B80-02B83CF700B3}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{45B62E7F-3B44-4E74-97B7-9A077CA9A551}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{47E9A09F-E551-420A-B720-48C75FE3207B}" = lport=139 | protocol=6 | dir=in | app=system |
"{4BD0DF3F-4FD1-4BAF-983B-765AE38CB9C9}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{4FC5659C-2981-4E58-9E07-1328545FDF1C}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{53EA49B9-ADDE-4FBE-91B1-7717C4F8C68F}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{5824FFCC-2E10-49E7-88C9-B37C4A8D257E}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{5F04A618-6860-41D0-A624-AD15CCE157E7}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{5F69A8C1-12FA-473D-9817-6384CC8A9A04}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{630F2579-90AF-4F3A-BD1F-5C14F2B1963D}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{6406C847-A818-4B58-9CE8-B2A1F75625BF}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{659B30FC-E534-4A9B-9CCD-B18D70812F30}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{663A69DD-C317-4444-8B3A-075B34ECF978}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{695368AE-A8B8-4B21-9BCC-A6BC72C0B5F7}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{6A17699C-A3BA-408F-A3DC-E0D515580B74}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{6AF543AE-C654-4C3D-82FC-D5C7BA554BA2}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{6F7C270D-240C-4683-BD8A-B334B2AD9FB2}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{70B6056B-C13B-41EA-B463-8FCCFE4A0EC0}" = rport=139 | protocol=6 | dir=out | app=system |
"{717A8EFE-2B73-4A0E-A445-ACA74744E151}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{72A4BE9B-885D-4BAD-866D-98DD76022B62}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{747EAB9C-277E-4D16-A052-F668BDF4F1F1}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{7567E01B-B044-478E-A8E1-ACF2B603FFCE}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{7E040544-0863-4695-B6AE-A0C01AD6BECB}" = rport=445 | protocol=6 | dir=out | app=system |
"{84046E89-3AF9-4EEB-9ABC-AC385CDE22E3}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{8BED41D8-FAF1-4E44-B47A-1E9711E0C98D}" = lport=808 | protocol=6 | dir=in | svc=nettcpactivator | app=c:\windows\microsoft.net\framework64\v4.0.30319\smsvchost.exe |
"{8E65E84D-DB13-4048-9EE9-21A4A79023AC}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{8F399E1C-BC66-4C2E-9C70-6A3F6AB79143}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{9176A182-D8B6-463C-9994-122F67D40129}" = lport=137 | protocol=17 | dir=in | app=system |
"{9282D338-5025-4EEE-B9E9-599B126AFBBA}" = lport=138 | protocol=17 | dir=in | app=system |
"{95A19215-8BE6-48DF-BF6C-DD981EECB698}" = lport=10243 | protocol=6 | dir=in | app=system |
"{976E8094-E8B2-4D09-806A-94D0AF7F8308}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{9862BFB2-4BFC-4C73-B486-299B5FDB1EAE}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{9EE0117B-49A5-4EC3-9367-A719546554E7}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{9FEDB2DE-CEC3-4739-B78F-804E785BC95A}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{A88DDCA7-994C-4D3E-9E84-95C26C16768A}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{AB8227F2-D357-4998-990E-020EBE588DD0}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{B15AF2B6-CCCB-469D-866F-AE0F4065CC83}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{B85C3CED-0E52-405A-898F-AB383BE64BA6}" = rport=138 | protocol=17 | dir=out | app=system |
"{BC11FE91-05F5-46C8-8BCE-2BB606300C1E}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{BF289483-FE33-44DE-AF64-B41D332BF642}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{C03D564D-5655-4246-849B-AE264612BF33}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{C3B0E199-9A77-49DF-A977-199E32CBEC36}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{C7BE285D-EC93-40EF-BA46-3E25437BC4FC}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{C8CCCA07-FF31-4DF3-88D9-1398D5CC9B7E}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{C92731F0-9C9F-4963-A9B6-F4EC28D77DFA}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{D00658A9-3161-4C0B-811D-A5F18B6ADC12}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{D090B816-406E-49DA-BB6E-F02E03FA977D}" = lport=2869 | protocol=6 | dir=in | app=system |
"{D12D777D-860E-43A5-9F0C-F5D8C6ACCF70}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{D96C33CA-F15E-491F-8BB9-908CF94EB3F8}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{E3F9A1D2-D32E-4979-9414-24475F96F367}" = rport=137 | protocol=17 | dir=out | app=system |
"{F0B85121-FA8B-41F7-846A-A3F2566700AB}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{F9167BDD-7911-4C1C-A986-DE5B50106330}" = lport=445 | protocol=6 | dir=in | app=system |
"{FC706D1E-1E7D-49AE-AA3A-840FFBD9BEB8}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
"{FFEAE8B8-2D2B-417C-A6AA-485C35B8595C}" = lport=4000 | protocol=6 | dir=out | app=c:\program files (x86)\dll-files.com fixer\dllfixer.exe |
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{07B07402-3410-4D7D-A999-865B2993E281}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{094B2455-3DE8-4F07-AA87-27DD4BBA1A02}" = protocol=6 | dir=out | app=system |
"{0AD7C013-1EAC-4AAF-8663-CCD136A4FEC9}" = dir=in | app=c:\program files (x86)\itunes\itunes.exe |
"{0D735C61-7250-4362-A8AF-147582A4B753}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{1215004F-CC9A-4E53-9562-03A3C5D0A553}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{1374A1F6-169E-489D-BCDA-C963201F1CF1}" = dir=in | app=c:\program files (x86)\common files\apple\apple application support\webkit2webprocess.exe |
"{1DDA3641-D0FD-4A7F-8B9D-0ED2365060D9}" = protocol=17 | dir=in | app=c:\program files (x86)\pandora.tv\panservice\pandoraservice.exe |
"{37AB9D0F-80BB-4805-9D5C-DFFB13203B73}" = protocol=6 | dir=in | app=c:\users\***\appdata\roaming\dropbox\bin\dropbox.exe |
"{3D439E63-AA62-4C4C-9FC8-02E471893D0C}" = protocol=6 | dir=in | app=c:\windows\syswow64\msiexec.exe |
"{468F0BEB-51B0-4720-B90F-622961FB4BA5}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{472AA3CD-CF99-4DC5-986C-29B1B8526643}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{47B0C4BA-1B51-4B12-83A3-D6EA25F0637D}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{4D6AAC7D-8147-4361-9672-5E87F199473F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{5516041B-AF1C-49F5-8361-8124D15C34F6}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{58D48ABF-CCF9-4A94-99D1-3A71FFD52748}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{6824FD90-6BEC-45E7-BEEC-417AA2D7C61F}" = protocol=17 | dir=in | app=c:\program files (x86)\pandora.tv\panservice\pandoraservice.exe |
"{74123421-95B8-420E-89A1-690F25206416}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{835082E7-0B9D-4A3F-A7F1-D3B8A6985F47}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{846B87C0-26F6-426B-8E9D-4EB65207E430}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{8AD58ADB-05ED-47C9-A9DC-D3604C02A7F0}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{9188CFC6-4932-4861-A84A-24FC74645902}" = protocol=6 | dir=in | app=c:\program files (x86)\downloadtoolz\hulu video downloader\hulu_d.exe |
"{943F4C43-ADEB-4867-AD19-DD49096C48F1}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{97832A68-5D5C-4FB7-9679-8308FBBED566}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{9CA0E70C-799F-417F-874C-B319C01941F3}" = protocol=17 | dir=in | app=c:\windows\syswow64\msiexec.exe |
"{BF7EDEC7-4505-43CF-9F21-14D008DA5DF8}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{C1EBAFF8-4BFA-4524-8F27-921E48F61290}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{C5A6FEAC-9CAC-4DAC-8B49-92368E2A22E4}" = protocol=17 | dir=in | app=c:\users\***\appdata\roaming\dropbox\bin\dropbox.exe |
"{C60BB474-949D-4B45-B1B8-17702633D0A9}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{DFB17DF1-0324-48BB-9EB2-CC7E55E575F1}" = protocol=17 | dir=in | app=c:\program files (x86)\downloadtoolz\hulu video downloader\hulu_d.exe |
"{E1B49AAB-8A11-4038-A8F2-A9845B749FB2}" = protocol=6 | dir=in | app=c:\program files (x86)\pandora.tv\panservice\pandoraservice.exe |
"{E40F666A-A581-4949-A809-29A6D1215D65}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{E6C527CA-B5C8-40F2-A7D5-9989C5108774}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{EF796DBF-15D6-461E-AC53-910448AAB9C9}" = protocol=6 | dir=in | app=c:\program files (x86)\pandora.tv\panservice\pandoraservice.exe |
"{F76B73DA-2D48-4770-9D81-6EFA5FFA5699}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{FB4D7BE2-F2FA-42FD-AF79-57A7B49A2DF4}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"TCP Query User{002FA12C-A174-4E71-AF8D-C787E2CAFF94}C:\program files (x86)\mozilla firefox\plugin-container.exe" = protocol=6 | dir=in | app=c:\program files (x86)\mozilla firefox\plugin-container.exe |
"TCP Query User{0BAF23D1-913B-4863-90E7-9A0484C2594F}D:\otrkeys\half life 2 by happy.part05\half life 2\hl2.exe" = protocol=6 | dir=in | app=d:\otrkeys\half life 2 by happy.part05\half life 2\hl2.exe |
"TCP Query User{0D6537EA-5109-45E1-B8FA-3EB3F194D470}C:\program files (x86)\tmnationsforever\tmforever.exe" = protocol=6 | dir=in | app=c:\program files (x86)\tmnationsforever\tmforever.exe |
"TCP Query User{0F38FEAC-7C7D-4433-85AE-811E7B74FBE0}C:\users\***\desktop\spiele\cod4\iw3mp.exe" = protocol=6 | dir=in | app=c:\users\***\desktop\spiele\cod4\iw3mp.exe |
"TCP Query User{2138F118-8F5F-4F43-9529-6F44370C118E}D:\hdr\the_lord_of_the_rings__the_fellowship_of_the_ring_10.exe" = protocol=6 | dir=in | app=d:\hdr\the_lord_of_the_rings__the_fellowship_of_the_ring_10.exe |
"TCP Query User{3A1B21C2-ED21-4ACA-B159-238704F97E39}C:\users\***\desktop\rtmpexplorer\rtmpsrv.exe" = protocol=6 | dir=in | app=c:\users\***\desktop\rtmpexplorer\rtmpsrv.exe |
"TCP Query User{3A985E8A-F3D3-490A-956F-D9E89D9BE6E8}C:\program files (x86)\java\jre6\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files (x86)\java\jre6\bin\javaw.exe |
"TCP Query User{44033CA5-60FF-4A11-8961-09B72232FA37}C:\users\***\desktop\rtmpdump-2.4-git-010913-windows\rtmpsrv.exe" = protocol=6 | dir=in | app=c:\users\***\desktop\rtmpdump-2.4-git-010913-windows\rtmpsrv.exe |
"TCP Query User{5A8613BE-4CE3-4F21-9EB9-81A71078224D}C:\users\***\desktop\rtmpexplorer2\rtmpsrv.exe" = protocol=6 | dir=in | app=c:\users\***\desktop\rtmpexplorer2\rtmpsrv.exe |
"TCP Query User{6EACA207-5D66-4ED0-BDB1-5A1E45BF8F03}C:\users\***\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=6 | dir=in | app=c:\users\***\appdata\roaming\dropbox\bin\dropbox.exe |
"TCP Query User{87334105-F209-4F88-8FF2-F4E18590143A}C:\program files (x86)\phonostar-player\phonostar.exe" = protocol=6 | dir=in | app=c:\program files (x86)\phonostar-player\phonostar.exe |
"TCP Query User{9071C708-53E0-4AE2-B2E4-6763878B30A8}D:\otrkeys\half life 2\hl2.exe" = protocol=6 | dir=in | app=d:\otrkeys\half life 2\hl2.exe |
"TCP Query User{940DA95D-69C2-422A-850A-4BB10555CB8B}C:\users\***\desktop\rtmpexplorer\rtmpsuck.exe" = protocol=6 | dir=in | app=c:\users\***\desktop\rtmpexplorer\rtmpsuck.exe |
"TCP Query User{A299B8A4-16A1-4099-A1E8-B70BD6B78E9A}C:\users\***\desktop\spiele\counter-strike\hltv.exe" = protocol=6 | dir=in | app=c:\users\***\desktop\spiele\counter-strike\hltv.exe |
"TCP Query User{ACFEABBC-657C-4F0E-9A1C-2D66B6FB27A8}C:\program files (x86)\tmnationsforever\tmforever.exe" = protocol=6 | dir=in | app=c:\program files (x86)\tmnationsforever\tmforever.exe |
"TCP Query User{ADD25604-0D07-4741-A5F0-159F7365A89E}C:\users\***\desktop\spiele\age of empires ii the conquerors\empires2.exe" = protocol=6 | dir=in | app=c:\users\***\desktop\spiele\age of empires ii the conquerors\empires2.exe |
"TCP Query User{B66A31D0-49D0-4FCB-97A9-7EEC19CC4A63}C:\users\***\desktop\spiele\counter-strike\hl.exe" = protocol=6 | dir=in | app=c:\users\***\desktop\spiele\counter-strike\hl.exe |
"TCP Query User{D065624A-5F8F-42A5-A1A7-06FF84B0E8F0}C:\users\***\desktop\rtmpexplorer\rtmpsrv-vlc.exe" = protocol=6 | dir=in | app=c:\users\***\desktop\rtmpexplorer\rtmpsrv-vlc.exe |
"TCP Query User{E8D3AEC4-F0B4-452F-947D-B290F25C1056}C:\users\***\desktop\rtmpexplorer\rtmpgw.exe" = protocol=6 | dir=in | app=c:\users\***\desktop\rtmpexplorer\rtmpgw.exe |
"UDP Query User{18A72E5E-1A91-4E5D-A2D6-98AFFADA246B}C:\users\***\desktop\rtmpexplorer\rtmpgw.exe" = protocol=17 | dir=in | app=c:\users\***\desktop\rtmpexplorer\rtmpgw.exe |
"UDP Query User{198B79A8-35FF-4A13-BF70-3C57AD5B3A3D}C:\users\***\desktop\spiele\cod4\iw3mp.exe" = protocol=17 | dir=in | app=c:\users\***\desktop\spiele\cod4\iw3mp.exe |
"UDP Query User{22C1DB5F-3D74-4302-BF4D-D2544EA4DD89}C:\users\***\desktop\rtmpdump-2.4-git-010913-windows\rtmpsrv.exe" = protocol=17 | dir=in | app=c:\users\***\desktop\rtmpdump-2.4-git-010913-windows\rtmpsrv.exe |
"UDP Query User{247FEE0A-9BC3-4FE6-9B25-615E1617C7E6}C:\users\***\desktop\rtmpexplorer2\rtmpsrv.exe" = protocol=17 | dir=in | app=c:\users\***\desktop\rtmpexplorer2\rtmpsrv.exe |
"UDP Query User{26149AF1-F5FE-4DC0-B51F-56F67E9DA608}C:\users\***\desktop\rtmpexplorer\rtmpsrv.exe" = protocol=17 | dir=in | app=c:\users\***\desktop\rtmpexplorer\rtmpsrv.exe |
"UDP Query User{27959DD7-DEB9-451B-9356-A4292E02834C}D:\hdr\the_lord_of_the_rings__the_fellowship_of_the_ring_10.exe" = protocol=17 | dir=in | app=d:\hdr\the_lord_of_the_rings__the_fellowship_of_the_ring_10.exe |
"UDP Query User{2A009D67-048A-41C3-8E79-BC16FDA2A090}D:\otrkeys\half life 2 by happy.part05\half life 2\hl2.exe" = protocol=17 | dir=in | app=d:\otrkeys\half life 2 by happy.part05\half life 2\hl2.exe |
"UDP Query User{2BD7400C-664C-4B51-A6BA-FBDDF33D4DDD}D:\otrkeys\half life 2\hl2.exe" = protocol=17 | dir=in | app=d:\otrkeys\half life 2\hl2.exe |
"UDP Query User{3CFCA7CB-F8D5-4D38-882E-7CBAD04EDBA3}C:\users\***\desktop\spiele\counter-strike\hl.exe" = protocol=17 | dir=in | app=c:\users\***\desktop\spiele\counter-strike\hl.exe |
"UDP Query User{43BE88E7-81B0-4037-A728-9C951B36B857}C:\program files (x86)\tmnationsforever\tmforever.exe" = protocol=17 | dir=in | app=c:\program files (x86)\tmnationsforever\tmforever.exe |
"UDP Query User{46420E65-9F12-4499-83E3-AF8A5BA443F7}C:\program files (x86)\java\jre6\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files (x86)\java\jre6\bin\javaw.exe |
"UDP Query User{4E829E1F-006E-4008-A443-B7823F702809}C:\users\***\desktop\rtmpexplorer\rtmpsuck.exe" = protocol=17 | dir=in | app=c:\users\***\desktop\rtmpexplorer\rtmpsuck.exe |
"UDP Query User{7862F8CC-D874-4AB6-9420-731514C46D4E}C:\users\***\desktop\rtmpexplorer\rtmpsrv-vlc.exe" = protocol=17 | dir=in | app=c:\users\***\desktop\rtmpexplorer\rtmpsrv-vlc.exe |
"UDP Query User{8AFAB0C8-B6AF-4249-8165-A44E6A732358}C:\program files (x86)\mozilla firefox\plugin-container.exe" = protocol=17 | dir=in | app=c:\program files (x86)\mozilla firefox\plugin-container.exe |
"UDP Query User{9BC3E318-FE74-41DA-AC25-37DBF2F26A76}C:\program files (x86)\phonostar-player\phonostar.exe" = protocol=17 | dir=in | app=c:\program files (x86)\phonostar-player\phonostar.exe |
"UDP Query User{9F83E311-E63A-4BCD-AFE7-E73DA7C3BDDD}C:\users\***\desktop\spiele\age of empires ii the conquerors\empires2.exe" = protocol=17 | dir=in | app=c:\users\***\desktop\spiele\age of empires ii the conquerors\empires2.exe |
"UDP Query User{AD73F28C-6F93-4B4F-A298-6BB14E839B3F}C:\users\***\desktop\spiele\counter-strike\hltv.exe" = protocol=17 | dir=in | app=c:\users\***\desktop\spiele\counter-strike\hltv.exe |
"UDP Query User{C1F48B88-241A-4F64-A193-96067218892B}C:\program files (x86)\tmnationsforever\tmforever.exe" = protocol=17 | dir=in | app=c:\program files (x86)\tmnationsforever\tmforever.exe |
"UDP Query User{F20CFA62-8AC7-479F-A088-3CFD997EC4E1}C:\users\***\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=17 | dir=in | app=c:\users\***\appdata\roaming\dropbox\bin\dropbox.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{0D04B2F4-BD8F-B8CE-DC9F-54369EC2783A}" = AMD Fuel
"{23170F69-40C1-2702-0920-000001000000}" = 7-Zip 9.20 (x64 edition)
"{35A50BE1-FDD7-4FC7-CCE5-03D2A63D4CF4}" = AMD Catalyst Install Manager
"{3C32C938-3071-BEF0-1EA5-403A420031A0}" = ccc-utility64
"{3F372A41-8007-012F-F5AE-685F588FC897}" = AMD Media Foundation Decoders
"{48E18BB4-394D-4976-AB9D-716F9302A942}" = BrowseToSave
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{503F672D-6C84-448A-8F8F-4BC35AC83441}" = AMD APP SDK Runtime
"{5EDDD103-CF66-40DF-A0B9-DECDC0F017D5}" = MAGIX Video deluxe 2013
"{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour
"{75104836-CAC7-444E-A39E-3F54151942F5}" = Apple Mobile Device Support
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{9ED333F8-3E6C-4A38-BAFA-728454121CDA}" = PDF-XChange Viewer
"{D66F0C3C-24F2-4463-9E2F-4381E5C40A26}" = iTunes
"{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"CCleaner" = CCleaner
"ffdshow64_is1" = ffdshow x64 v1.1.3476 [2010-06-15]
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"WinGimp-2.0_is1" = GIMP 2.6.8
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{005E738B-5A0A-4483-A900-877D183A8F45}_is1" = BlindWrite 6
"{0138F525-6C8A-333F-A105-14AE030B9A54}" = Visual C++ 9.0 CRT (x86) WinSXS MSM
"{09BCB9CE-964B-4BDA-AE46-B5A0ABEF1D3F}" = Sonic Focus
"{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2461E016-9FB4-B233-A74D-91D11A664342}" = CCC Help English
"{26A24AE4-039D-4CA4-87B4-2F83216022F0}" = Java(TM) 6 Update 22
"{26A24AE4-039D-4CA4-87B4-2F83216033FF}" = Java(TM) 6 Update 33
"{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1" = ConvertHelper 2.2
"{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support
"{4286716B-1287-48E7-9078-3DC8248DBA96}" = OpenOffice.org 3.3
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{51002784-18FA-8FF9-9A1A-2468E7FCA096}" = Catalyst Control Center Graphics Previews Common
"{576E71DA-3000-48F6-9B21-B9A70D47DFCF}" = Star Wars JK II Jedi Outcast
"{5E1375CB-6792-4464-8715-CC3EC83D48FA}" = VirtualDJ Home FREE
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{65D70656-D248-4C83-B594-E3029C43B37A}" = phase6_19
"{6C5F8503-55D2-4398-858C-362B7A7AF51C}" = Firebird SQL Server - MAGIX Edition
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver
"{8F311E72-C27F-4DF0-8254-B739A1831668}_is1" = SUPER © v2012.build.53 (Sep 13, 2012) Version v2012.build.53
"{909F8EBC-EC7F-48FF-0085-475D818F0F31}" = Need for Speed Underground 2
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A99968BE-C155-474C-0089-33239DEE1CE2}" = NFS Underground
"{BAAE49C1-2844-4614-BCB9-1485569E344D}" = pdfforge Toolbar v6.9
"{C3F3165C-74D3-6FDB-3274-14FDA8698CFA}" =
"{C454E7DD-A09A-6D06-7FF9-59753475FC09}" = AMD VISION Engine Control Center
"{CE23BD08-F6FD-3337-D8BC-5B55E69263A5}" = Catalyst Control Center InstallProxy
"{D3694B69-6F8C-42D3-8A0A-EB2AB528C02C}" = Atheros Client Installation Program
"{D4911E92-A059-4901-8AB3-8638B6D96456}_is1" = Groovedown Version 0.84
"{DA109884-7CDC-5F21-5F0B-742AA74F84E1}" = Catalyst Control Center Localization All
"{DB6AB705-C9BD-40E3-8929-2EA57F36A4FF}_is1" = ConvertXtoDVD 4.1.19.365
"{E19490CD-5380-4F37-B0A7-624D635605DC}" = Catalyst Control Center - Branding
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F2471277-4C40-44B8-9A5D-D170F237673C}" = TubeBox
"4F6D5E84-5826-4394-9F40-3A9A19165651_is1" = Pandora Service
"5513-1208-7298-9440" = JDownloader 0.9
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"Any Video Converter_is1" = Any Video Converter 3.3.4
"Audacity_is1" = Audacity 2.0.2
"AudibleManager" = AudibleManager
"Avidemux 2.5 (64-bit)" = Avidemux 2.5
"Avira AntiVir Desktop" = Avira Free Antivirus
"Crimson Editor SVN286M" = Crimson Editor SVN286M
"DAEMON Tools Lite" = DAEMON Tools Lite
"Dev-C++" = Dev-C++ 5 beta 9 release (4.9.9.2)
"DVD Shrink DE_is1" = DVD Shrink 3.2 deutsch (DeCSS-frei)
"ffdshow_is1" = ffdshow v1.1.3476 [2010-06-15]
"FileZilla Client" = FileZilla Client 3.6.0.2
"Fraps" = Fraps (remove only)
"Free Videos To DVD_is1" = Free Videos To DVD V 4.0.0
"Groovedown" = Groovedown
"HotspotShield" = Hotspot Shield 2.88
"ImgBurn" = ImgBurn
"LAME_is1" = LAME v3.99.3 (for Windows)
"MAGIX_{5EDDD103-CF66-40DF-A0B9-DECDC0F017D5}" = MAGIX Video deluxe 2013
"Mozilla Firefox 20.0 (x86 de)" = Mozilla Firefox 20.0 (x86 de)
"Mozilla Thunderbird 17.0.4 (x86 de)" = Mozilla Thunderbird 17.0.4 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Postal 2" = Postal 2
"RonyaSoft CD DVD Label Maker" = RonyaSoft CD DVD Label Maker 3.01
"SP_f2a323db" =
"SubtitleWorkshop" = Subtitle Workshop 2.51
"Textaizer Pro_is1" = Textaizer Pro v4.0
"The KMPlayer" = The KMPlayer (remove only)
"tint" = Tint
"TmNationsForever_is1" = TmNationsForever
"TubeBox 3.5.3" = TubeBox
"VLC media player" = VLC media player 1.1.11
"VSO DivxToDVD_is1" = DivxToDVD 0.5.2b
"WinX DVD Author_is1" = WinX DVD Author 6.2
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 08.04.2013 16:36:09 | Computer Name = ***-Asus | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 15320
Error - 08.04.2013 16:36:13 | Computer Name = ***-Asus | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
Error - 08.04.2013 16:36:13 | Computer Name = ***-Asus | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 19454
Error - 08.04.2013 16:36:13 | Computer Name = ***-Asus | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 19454
Error - 08.04.2013 16:36:14 | Computer Name = ***-Asus | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
Error - 08.04.2013 16:36:14 | Computer Name = ***-Asus | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 20452
Error - 08.04.2013 16:36:14 | Computer Name = ***-Asus | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 20452
Error - 08.04.2013 16:36:18 | Computer Name = ***-Asus | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
Error - 08.04.2013 16:36:18 | Computer Name = ***-Asus | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 24851
Error - 08.04.2013 16:36:18 | Computer Name = ***-Asus | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 24851
[ System Events ]
Error - 06.04.2013 04:20:52 | Computer Name = ***-Asus | Source = Service Control Manager | ID = 7011
Description = Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung
von Dienst Wlansvc erreicht.
Error - 06.04.2013 04:37:28 | Computer Name = ***-Asus | Source = Service Control Manager | ID = 7030
Description = Der Dienst "Hotspot Shield Service" ist als interaktiver Dienst gekennzeichnet.
Das System wurde jedoch so konfiguriert, dass interaktive Dienste nicht möglich
sind. Der Dienst wird möglicherweise nicht richtig funktionieren.
Error - 06.04.2013 04:37:40 | Computer Name = ***-Asus | Source = Service Control Manager | ID = 7031
Description = Der Dienst "Hotspot Shield Service" wurde unerwartet beendet. Dies
ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 0 Millisekunden
durchgeführt: Neustart des Diensts.
Error - 06.04.2013 04:37:42 | Computer Name = ***-Asus | Source = Service Control Manager | ID = 7034
Description = Dienst "Hotspot Shield Routing Service" wurde unerwartet beendet.
Dies ist bereits 1 Mal passiert.
Error - 06.04.2013 09:05:32 | Computer Name = ***-Asus | Source = Service Control Manager | ID = 7030
Description = Der Dienst "Hotspot Shield Service" ist als interaktiver Dienst gekennzeichnet.
Das System wurde jedoch so konfiguriert, dass interaktive Dienste nicht möglich
sind. Der Dienst wird möglicherweise nicht richtig funktionieren.
Error - 06.04.2013 09:05:44 | Computer Name = ***-Asus | Source = Service Control Manager | ID = 7034
Description = Dienst "Hotspot Shield Routing Service" wurde unerwartet beendet.
Dies ist bereits 2 Mal passiert.
Error - 06.04.2013 09:06:44 | Computer Name = ***-Asus | Source = Service Control Manager | ID = 7031
Description = Der Dienst "Hotspot Shield Service" wurde unerwartet beendet. Dies
ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 0 Millisekunden
durchgeführt: Neustart des Diensts.
Error - 06.04.2013 09:55:01 | Computer Name = ***-Asus | Source = Service Control Manager | ID = 7011
Description = Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung
von Dienst ShellHWDetection erreicht.
Error - 09.04.2013 02:48:55 | Computer Name = ***-Asus | Source = Service Control Manager | ID = 7000
Description = Der Dienst "StarWind AE Service" wurde aufgrund folgenden Fehlers
nicht gestartet: %%2
Error - 09.04.2013 03:34:01 | Computer Name = ***-Asus | Source = Service Control Manager | ID = 7000
Description = Der Dienst "StarWind AE Service" wurde aufgrund folgenden Fehlers
nicht gestartet: %%2
< End of report >
Code:
ATTFilter GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-04-09 11:50:09
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006a ST932032 rev.0003 298,09GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\***\AppData\Local\Temp\kwtcapod.sys
---- User code sections - GMER 2.1 ----
.text C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75]
.text C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe[1688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75]
.text ... * 2
.text C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75]
.text C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1788] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75]
.text ... * 2
.text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1840] C:\Program Files (x86)\PANDORA.TV\PanService\avformat-53.dll!ff_http_auth_create_response + 294 000000006ab32076 4 bytes [24, D9, B9, 68]
.text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1840] C:\Program Files (x86)\PANDORA.TV\PanService\avformat-53.dll!ff_mp4_read_dec_config_descr + 435 000000006ab37283 4 bytes [74, 4C, 09, 66]
.text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[1840] C:\Program Files (x86)\PANDORA.TV\PanService\avformat-53.dll!ff_nut_add_sp + 70 000000006ab751a6 4 bytes [20, EF, B9, 68]
.text C:\Users\***\AppData\Roaming\Dropbox\bin\Dropbox.exe[2360] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75]
.text C:\Users\***\AppData\Roaming\Dropbox\bin\Dropbox.exe[2360] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75]
.text ... * 2
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[2524] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75]
.text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[2524] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75]
.text ... * 2
.text C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe[2708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75]
.text C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe[2708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75]
.text ... * 2
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x49 0x92 0xE4 0xEF ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x2E 0x06 0x6D 0x48 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB0 0x00 0xF3 0xCB ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5F 0x10 0x6F 0x75 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x49 0x92 0xE4 0xEF ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x2E 0x06 0x6D 0x48 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB0 0x00 0xF3 0xCB ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5F 0x10 0x6F 0x75 ...
---- EOF - GMER 2.1 ----
 Mojodo Geändert von mojodo (09.04.2013 um 11:44 Uhr) |
|
09.04.2013, 14:17
| #2 |
| /// TB-Ausbilder  |  Click to Continue > by Browse to to Save und http://searchiu.com/?affil=141 Startseite - Malware!! Hinweis an Mitlesende !! Dieses Thema und die Anweisungen sind nur für diesen speziellen Fall gedacht. Sie könnten andere Computer schwer beschädigen. Öffnet bitte euer eigenes Thema.  Ich werde dir bei deinem Problem helfen. Die Bereinigung funktioniert nur, wenn du dich an die folgenden Regeln hälst:  Bitte lesen:Regeln für die Bereinigung
Schritt 1: (Erinnerung: Antworte mir erst, wenn du alle Schritte abgearbeitet hast!) Deinstallation von Programmen
Schritt 2: AdwCleaner: Werbeprogramme suchen und löschen Downloade Dir bitte  AdwCleaner auf deinen Desktop.
Schritt 3: Scan mit Combofix
__________________ |
|
09.04.2013, 17:22
| #3 |
| | Click to Continue > by Browse to to Save und http://searchiu.com/?affil=141 Startseite - Malware Während Schrtt 1, also der deinstallation der Programme entdeckte ich ein Programm mit dem Namen BrowseToSave und habs gleich mit deinstalliert.
__________________Schritt 2: Logfile von AdwCleaner: Code:
ATTFilter # AdwCleaner v2.200 - Datei am 09/04/2013 um 17:35:57 erstellt
# Aktualisiert am 02/04/2013 von Xplode
# Betriebssystem : Windows 7 Home Premium Service Pack 1 (64 bits)
# Benutzer : *** - ***-ASUS
# Bootmodus : Normal
# Ausgeführt unter : C:\Users\***\Desktop\adwcleaner.exe
# Option [Löschen]
**** [Dienste] ****
***** [Dateien / Ordner] *****
Datei Gelöscht : C:\user.js
Datei Gelöscht : C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\e0e7iwdh.default\foxydeal.sqlite
Datei Gelöscht : C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\e0e7iwdh.default\searchplugins\search.xml
Datei Gelöscht : C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\e0e7iwdh.default\searchplugins\SweetIm.xml
Datei Gelöscht : C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\e0e7iwdh.default\searchplugins\u-search.xml
Ordner Gelöscht : C:\Program Files (x86)\BrowseToSave
Ordner Gelöscht : C:\Program Files (x86)\SweetIM
Ordner Gelöscht : C:\ProgramData\Ask
Ordner Gelöscht : C:\ProgramData\Babylon
Ordner Gelöscht : C:\ProgramData\InstallMate
Ordner Gelöscht : C:\ProgramData\SoftSafe
Ordner Gelöscht : C:\Users\***\AppData\Local\Babylon
Ordner Gelöscht : C:\Users\***\AppData\LocalLow\BabylonToolbar
Ordner Gelöscht : C:\Users\***\AppData\Roaming\Babylon
Ordner Gelöscht : C:\Users\***\AppData\Roaming\pdfforge
***** [Registrierungsdatenbank] *****
Schlüssel Gelöscht : HKCU\Software\APN PIP
Schlüssel Gelöscht : HKCU\Software\AppDataLow\SProtector
Schlüssel Gelöscht : HKCU\Software\Conduit
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B922D405-6D13-4A2B-AE89-08A030DA4402}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35B-6118-11DC-9C72-001320C79847}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35C-6118-11DC-9C72-001320C79847}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B922D405-6D13-4A2B-AE89-08A030DA4402}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
Schlüssel Gelöscht : HKCU\Software\PIP
Schlüssel Gelöscht : HKCU\Software\Softonic
Schlüssel Gelöscht : HKLM\Software\Babylon
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Prod.cap
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\BundleSweetIMSetup_RASAPI32
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\BundleSweetIMSetup_RASMANCS
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASAPI32
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASMANCS
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\SweetIM_RASAPI32
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\SweetIM_RASMANCS
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\SweetPacksUpdateManager_RASAPI32
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\SweetPacksUpdateManager_RASMANCS
Schlüssel Gelöscht : HKLM\Software\PIP
Schlüssel Gelöscht : HKLM\Software\SP Global
Schlüssel Gelöscht : HKLM\Software\SProtector
Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
Wert Gelöscht : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EEE6C35B-6118-11DC-9C72-001320C79847}]
***** [Internet Browser] *****
-\\ Internet Explorer v8.0.7601.17514
Ersetzt : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://u-search.net/?a=1&e=1 --> hxxp://www.google.com
Ersetzt : [HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main - Start Page] = hxxp://u-search.net/?a=1&e=1 --> hxxp://www.google.com
-\\ Mozilla Firefox v20.0 (de)
Datei : C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\e0e7iwdh.default\prefs.js
C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\e0e7iwdh.default\user.js ... Gelöscht !
Gelöscht : user_pref("aol_toolbar.default.homepage.check", false);
Gelöscht : user_pref("aol_toolbar.default.search.check", false);
Gelöscht : user_pref("browser.newtab.url", "hxxp://u-search.net/?a=1&e=1");
Gelöscht : user_pref("browser.search.defaultengine", "u-Search");
Gelöscht : user_pref("browser.search.defaultenginename", "u-Search");
Gelöscht : user_pref("browser.search.defaulturl", "hxxp://u-search.net/?a=1&e=2&q=");
Gelöscht : user_pref("browser.search.order.1", "u-Search");
Gelöscht : user_pref("browser.startup.homepage", "hxxp://u-search.net/?a=1&e=1");
Gelöscht : user_pref("extensions.515da548284b7.scode", "(function(){try{if('aol.com,mail.google.com,premiumrepo[...]
Gelöscht : user_pref("extensions.BabylonToolbar.prtkDS", 0);
Gelöscht : user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
Gelöscht : user_pref("extensions.BabylonToolbar_i.aflt", "babsst");
Gelöscht : user_pref("extensions.BabylonToolbar_i.babExt", "");
Gelöscht : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=108298");
Gelöscht : user_pref("extensions.BabylonToolbar_i.hardId", "2ab9458200000000000074de2bd680d8");
Gelöscht : user_pref("extensions.BabylonToolbar_i.id", "2ab9458200000000000074de2bd680d8");
Gelöscht : user_pref("extensions.BabylonToolbar_i.instlDay", "15396");
Gelöscht : user_pref("extensions.BabylonToolbar_i.instlRef", "sst");
Gelöscht : user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar");
Gelöscht : user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon");
Gelöscht : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
Gelöscht : user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
Gelöscht : user_pref("extensions.BabylonToolbar_i.tlbrId", "base");
Gelöscht : user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17");
Gelöscht : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.1711:16:57");
Gelöscht : user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17");
Gelöscht : user_pref("keyword.URL", "hxxp://u-search.net/?a=1&e=2&q=");
Gelöscht : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");
Gelöscht : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
Gelöscht : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");
Gelöscht : user_pref("sweetim.toolbar.previous.keyword.URL", "");
Gelöscht : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
Gelöscht : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
Gelöscht : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
Gelöscht : user_pref("sweetim.toolbar.searchguard.enable", "");
-\\ Google Chrome v [Version kann nicht ermittelt werden]
Datei : C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Preferences
[OK] Die Datei ist sauber.
*************************
AdwCleaner[S1].txt - [8469 octets] - [09/04/2013 17:35:57]
########## EOF - C:\AdwCleaner[S1].txt - [8529 octets] ##########
Logfile von Combofix: Code:
ATTFilter ComboFix 13-04-09.01 - *** 09.04.2013 17:52:57.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.49.1031.18.1644.267 [GMT 2:00]
ausgeführt von:: c:\users\***\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\app
c:\programdata\app\Textaizer Pro\Projects\Default.mpr
c:\programdata\app\Textaizer Pro\Projects\Lene.mpr
c:\programdata\app\Textaizer Pro\Sources\Balloons.png
c:\programdata\app\Textaizer Pro\Sources\Beatles.txt
c:\programdata\app\Textaizer Pro\Sources\CiegaSordomuda.txt
c:\programdata\app\Textaizer Pro\Sources\Congrats.txt
c:\programdata\app\Textaizer Pro\Sources\Greetings.txt
c:\programdata\app\Textaizer Pro\Sources\Heer Bommel.jpg
c:\programdata\app\Textaizer Pro\Sources\Lene Marlin.jpg
c:\programdata\app\Textaizer Pro\Sources\Shakespeare.txt
c:\programdata\app\Textaizer Pro\Sources\Shakira.jpg
c:\programdata\app\Textaizer Pro\Sources\Stones.txt
c:\programdata\app\Textaizer Pro\Sources\Tin Tin.jpg
c:\programdata\app\Textaizer Pro\Textures\t_Burlap.jpg
c:\programdata\app\Textaizer Pro\Textures\t_Canvas.jpg
c:\programdata\app\Textaizer Pro\Textures\t_Concrete.jpg
c:\programdata\app\Textaizer Pro\Textures\t_Cork.jpg
c:\programdata\app\Textaizer Pro\Textures\t_Gaze.jpg
c:\programdata\app\Textaizer Pro\Textures\t_Jeans.jpg
c:\programdata\app\Textaizer Pro\Textures\t_Lightwood.jpg
c:\programdata\app\Textaizer Pro\Textures\t_Sandstone.jpg
c:\programdata\BRowsE2soave
c:\programdata\BRowsE2soave\515da54828573.dll
c:\programdata\BRowsE2soave\515da54828573.tlb
c:\programdata\BRowsE2soave\settings.ini
c:\users\***\AppData\Local\assembly\tmp
c:\windows\assembly\tmp\U
c:\windows\IsUn0407.exe
.
.
((((((((((((((((((((((( Dateien erstellt von 2013-03-09 bis 2013-04-09 ))))))))))))))))))))))))))))))
.
.
2013-04-09 16:06 . 2013-04-09 16:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-04-09 15:55 . 2013-04-09 15:55 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{16117A81-FAC2-446A-9302-BB2938E5F1BC}\offreg.dll
2013-04-05 15:57 . 2013-03-15 06:28 9311288 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{16117A81-FAC2-446A-9302-BB2938E5F1BC}\mpengine.dll
2013-04-04 16:08 . 2013-04-04 16:08 -------- d-----w- c:\users\***\AppData\Local\Google
2013-04-04 15:08 . 2013-04-04 16:11 -------- d-----w- C:\Fraps
2013-04-03 21:45 . 2013-04-03 21:45 -------- d-----w- c:\program files (x86)\Freemium
2013-04-03 21:14 . 2013-04-03 21:30 -------- d-----w- c:\program files (x86)\SelfUpdater
2013-04-03 20:33 . 2013-04-03 20:33 -------- d-----w- c:\users\***\AppData\Local\IsolatedStorage
2013-04-03 20:32 . 2013-04-03 21:45 -------- d-----w- c:\users\***\AppData\Roaming\Freemium
2013-04-03 20:32 . 2013-04-03 20:32 -------- d-----w- c:\users\***\AppData\Local\Freemium TubeBox
2013-04-03 18:43 . 2013-04-03 18:43 -------- d-----w- c:\users\***\AppData\Roaming\Ashampoo
2013-04-03 18:43 . 2013-04-03 18:43 -------- d-----w- c:\programdata\Ashampoo
2013-04-03 16:17 . 2013-04-03 16:17 -------- d-----w- c:\users\***\AppData\Local\Freetec
2013-04-03 16:15 . 2013-04-03 16:18 -------- d-----w- c:\program files (x86)\SoftwareUpdater
2013-04-03 16:10 . 2013-04-03 16:12 -------- d-----w- c:\users\***\AppData\Local\DownloadGuide
2013-03-30 20:29 . 2013-02-12 04:12 19968 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-03-14 20:01 . 2013-03-15 15:09 -------- d-----w- c:\program files (x86)\Mozilla Thunderbird
2013-03-14 14:34 . 2013-02-28 13:57 9061376 ----a-w- c:\windows\system32\mshtml.dll
2013-03-14 14:34 . 2013-02-28 13:57 12296192 ----a-w- c:\windows\system32\ieframe.dll
2013-03-14 14:34 . 2013-02-28 13:57 2458112 ----a-w- c:\windows\system32\iertutil.dll
2013-03-14 13:35 . 2013-03-14 13:35 -------- d-----w- c:\users\***\AppData\Roaming\MAGIX
2013-03-14 13:10 . 2013-03-14 13:10 -------- d-----w- c:\program files (x86)\Common Files\MAGIX Shared
2013-03-14 13:08 . 2013-03-14 13:08 -------- d-----w- C:\Programme (x86)
2013-03-14 13:06 . 2013-04-03 20:36 -------- d-----w- c:\programdata\MAGIX
2013-03-14 13:06 . 2013-03-14 13:08 -------- d-----w- c:\program files (x86)\Common Files\MAGIX Services
2013-03-14 13:06 . 2013-03-14 13:06 -------- d-----w- c:\program files (x86)\MSXML 4.0
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-14 13:12 . 2007-04-27 09:43 120200 ----a-w- c:\windows\SysWow64\DLLDEV32i.dll
2013-03-14 11:51 . 2012-05-06 14:35 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-03-14 11:51 . 2012-01-01 10:26 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-11 23:10 . 2011-12-31 18:24 282744 ------w- c:\windows\system32\MpSigStub.exe
2013-02-22 01:53 . 2013-02-22 01:53 42184 ----a-w- c:\windows\system32\drivers\taphss6.sys
2013-02-22 01:43 . 2013-02-22 01:43 46280 ----a-w- c:\windows\system32\drivers\hssdrv6.sys
2013-01-11 10:39 . 2013-02-27 10:35 103936 ----a-w- c:\windows\system32\pdfcmon.dll
2006-05-03 10:06 163328 --sha-r- c:\windows\SysWOW64\flvDX.dll
2007-02-21 11:47 31232 --sha-r- c:\windows\SysWOW64\msfDX.dll
2008-03-16 13:30 216064 --sha-r- c:\windows\SysWOW64\nbDX.dll
2010-01-06 22:00 107520 --sha-r- c:\windows\SysWOW64\TAKDSDecoder.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{4DF4AC8C-FFA8-40FF-91F0-EB8389314B78}]
2010-06-09 13:28 269312 ----a-w- c:\users\***\AppData\LocalLow\FoxTab\IE\FoxTab.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\***\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\***\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\users\***\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SonicMasterTray"="c:\program files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe" [2010-07-09 984400]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-11-09 343168]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2012-08-16 348664]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
.
c:\users\***\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\***\AppData\Roaming\Dropbox\bin\Dropbox.exe [2013-3-12 29106336]
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
p6_19_erinnerung.lnk - c:\program files (x86)\phase6\phase6_19\WinStart\WinStart.exe [2007-2-11 49152]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SystemStoreService;System Store;c:\program files (x86)\SoftwareUpdater\SystemStore.exe -displayname System Store -servicename SystemStoreService [x]
R3 appliand;Applian Network Service;c:\windows\system32\DRIVERS\appliand.sys [2011-06-26 33888]
R3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys [2011-06-26 33888]
R3 ASUSProcObsrv;ASUS Process Creation/Termination Observer;e:\i386\AsPrOb64.sys [x]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe [2011-04-26 2702848]
R3 taphss6;Anchorfree HSS VPN Adapter;c:\windows\system32\DRIVERS\taphss6.sys [2013-02-22 42184]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-02 51712]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2011-12-19 29288]
R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2011-12-19 29288]
R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2011-12-19 29288]
R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2011-12-19 29288]
R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2011-12-19 29288]
R4 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys [2010-11-04 75904]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys [2010-11-04 38016]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2011-12-15 27760]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-06-23 283200]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-11-10 204288]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-11-09 361984]
S2 AntiVirSchedulerService;Avira Planer;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2012-05-08 86224]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe [2011-05-24 1840128]
S2 PanService;PandoraService;c:\program files (x86)\PANDORA.TV\PanService\PandoraService.exe [2011-12-21 578264]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [2010-02-18 46136]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-03-04 436840]
.
.
Inhalt des "geplante Tasks" Ordners
.
2013-04-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-06 11:51]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 162552 ----a-w- c:\users\***\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 162552 ----a-w- c:\users\***\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 162552 ----a-w- c:\users\***\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 162552 ----a-w- c:\users\***\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-07-28 12632168]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-07-28 2264168]
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = ftp=204.124.180.101:3128;http=204.124.180.101:3128;https=204.124.180.101:3128;socks=204.124.180.101:3128
TCP: DhcpNameServer = 192.168.27.1
FF - ProfilePath - c:\users\***\AppData\Roaming\Mozilla\Firefox\Profiles\e0e7iwdh.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - ExtSQL: 2013-03-14 15:35; uriloader@pdf.js; c:\users\***\AppData\Roaming\Mozilla\Firefox\Profiles\e0e7iwdh.default\extensions\uriloader@pdf.js.xpi
FF - ExtSQL: 2013-04-04 18:10; oyoe1-iea@vqtgk-aie.com; c:\users\***\AppData\Roaming\Mozilla\Firefox\Profiles\e0e7iwdh.default\extensions\oyoe1-iea@vqtgk-aie.com
FF - ExtSQL: 2013-04-08 18:13; adonis.cuhk@gmail.com; c:\users\***\AppData\Roaming\Mozilla\Firefox\Profiles\e0e7iwdh.default\extensions\adonis.cuhk@gmail.com.xpi
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Wow6432Node-HKCU-Run-Torrent2Exe[a9ef6dee1c772f6dbd50c99b4a0bd4dd968b7ec3] - d:\hdr\The_Lord_of_the_Rings__The_Fellowship_of_the_Ring_10.exe
Wow6432Node-HKCU-Run-phonostar-Player - c:\program files (x86)\phonostar-Player\phonostarStarter.exe
Wow6432Node-HKLM-Run-Aimersoft Helper Compact.exe - c:\program files (x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe
Wow6432Node-HKLM-Run-iSkysoft Helper Compact.exe - c:\program files (x86)\Common Files\iSkysoft\iSkysoft Helper Compact\ISHelper.exe
AddRemove-{B164D51F-3328-BCA8-30EF-0D3667AD7424} - c:\progra~3\INSTAL~1\{EB4ED~1\Setup.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2013-04-09 18:13:11
ComboFix-quarantined-files.txt 2013-04-09 16:13
.
Vor Suchlauf: 13 Verzeichnis(se), 32.508.837.888 Bytes frei
Nach Suchlauf: 18 Verzeichnis(se), 44.496.785.408 Bytes frei
.
- - End Of File - - 3C9C5A610D1DA25C9F65FCAD46CF3D12
Keine Werbung mehr keine searchiu.com Startseite mehr  : |
|
09.04.2013, 17:39
| #4 |
| /// TB-Ausbilder | Click to Continue > by Browse to to Save und http://searchiu.com/?affil=141 Startseite - Malware Gut! Soweit ich das sehe haben wir damit alles Schädliche entfernt. Um sicher sein zu können müssen jetzt noch ein paar Kontrollen machen und werden dann deinen Computer noch auf einen sicheren Stand bringen. Da diese Scans jetzt sehr lange dauern können bitte ich dich mir erst wieder zu schreiben, wenn du auch wirklich alles erledigt hast oder Probleme auftreten sollten. Schritt 1: Quick-Scan mit Malwarebytes Downloade Dir bitteSchritt 2: Hinweis: Der Scan kann sehr lange (einige Stunden) dauern!  Schritt 3: Scan mit SecurityCheck Downloade Dir bitte  SecurityCheck und:
__________________  Digitale Freibeuter gegen Malware! Keine Hilfe per PM! |
|
09.04.2013, 22:40
| #5 |
| | Click to Continue > by Browse to to Save und http://searchiu.com/?affil=141 Startseite - Malware 1. Mir ist leider aufgefallen, dass die searchiu.com-Startseite zwar weg ist, die Browse to Save mouseover-Werbelinks sind allerdings noch da  Folgend die Logfiles: Malwarebytes Anti-Malware : Code:
ATTFilter Malwarebytes Anti-Malware 1.70.0.1100 www.malwarebytes.org Datenbank Version: v2013.04.09.08 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 8.0.7601.17514 *** :: ***-ASUS [Administrator] 09.04.2013 18:50:07 mbam-log-2013-04-09 (18-50-07).txt Art des Suchlaufs: Quick-Scan Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 212339 Laufzeit: 7 Minute(n), 47 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 1 HKCU\SOFTWARE\Microsoft\Internet Explorer\AboutURLs|Tabs (Trojan.StartPage) -> Daten: hxxp://u-search.net/?a=1&e=1 -> Erfolgreich gelöscht und in Quarantäne gestellt. Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 0 (Keine bösartigen Objekte gefunden) (Ende) ESET Online Scanner: Code:
ATTFilter ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=299d715e71f3df4794fad375cbd96460
# engine=13583
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-04-09 09:16:59
# local_time=2013-04-09 11:16:59 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1799 16775165 100 99 52114 230965509 82469 0
# compatibility_mode=5893 16776573 100 94 19293 117172069 0 0
# scanned=261528
# found=4
# cleaned=0
# scan_time=15007
sh=3E48C8D25B196D67722ED20CD36BF3448A4C9136 ft=1 fh=8ca2da5db5514665 vn="a variant of Win32/Adware.MultiPlug.I application" ac=I fn="C:\Qoobox\Quarantine\C\ProgramData\BRowsE2soave\515da54828573.dll.vir"
sh=A39B0E794763A73154BC9D12F67B6A08147BB271 ft=0 fh=0000000000000000 vn="Win32/Adware.MultiPlug.H application" ac=I fn="C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Extensions\omijpafilmeabcfknpnecgdnmpooanie\1\515da5482835a1.16932457.js"
sh=700168761EF1DC44F85C8071A684626419D8C166 ft=0 fh=0000000000000000 vn="Win32/Adware.MultiPlug.H application" ac=I fn="C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\e0e7iwdh.default\extensions\oyoe1-iea@vqtgk-aie.com\content\bg.js"
sh=9323EC839D64137837410A31A6D4D0E6C1CC1F88 ft=0 fh=0000000000000000 vn="HTML/ScrInject.B.Gen virus" ac=I fn="D:\Webseite\SE\Backup\index.php"
SecurityCheck: Code:
ATTFilter Results of screen317's Security Check version 0.99.61 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 8 Out of date! ``````````````Antivirus/Firewall Check:`````````````` Avira Desktop Antivirus out of date! `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware Version 1.70.0.1100 Adobe Flash Player 11.6.602.180 Mozilla Firefox (20.0) Mozilla Thunderbird (17.0.4) ````````Process Check: objlist.exe by Laurent```````` Avira Antivir avgnt.exe Avira Antivir avguard.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: ````````````````````End of Log`````````````````````` |
|
10.04.2013, 13:29
| #6 |
| /// TB-Ausbilder | Click to Continue > by Browse to to Save und http://searchiu.com/?affil=141 Startseite - Malware Ah da müssen wir nochmal was entfernen: Kontrollscan mit OTL
__________________ --> Click to Continue > by Browse to to Save und http://searchiu.com/?affil=141 Startseite - Malware |
|
10.04.2013, 15:56
| #7 |
| | Click to Continue > by Browse to to Save und http://searchiu.com/?affil=141 Startseite - Malware OTL-Logfile: Code:
ATTFilter OTL logfile created on: 10.04.2013 16:22:23 - Run 2 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\***\Desktop 64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 8.0.7601.17514) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 1,61 Gb Total Physical Memory | 0,49 Gb Available Physical Memory | 30,79% Memory free 3,21 Gb Paging File | 1,18 Gb Available in Paging File | 36,86% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 146,09 Gb Total Space | 40,07 Gb Free Space | 27,43% Space Free | Partition Type: NTFS Drive D: | 152,00 Gb Total Space | 52,72 Gb Free Space | 34,69% Space Free | Partition Type: NTFS Computer Name: ***-ASUS | User Name: *** | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.04.09 18:40:32 | 000,174,496 | ---- | M] (Oracle Corporation) -- C:\Program Files (x86)\Java\jre7\bin\javaw.exe PRC - [2013.04.09 09:37:44 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\***\Desktop\OTL.exe PRC - [2013.04.04 13:40:25 | 000,920,472 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe PRC - [2013.03.14 13:51:47 | 001,822,424 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe PRC - [2013.03.12 09:05:50 | 029,106,336 | ---- | M] (Dropbox, Inc.) -- C:\Users\***\AppData\Roaming\Dropbox\bin\Dropbox.exe PRC - [2013.01.23 02:58:46 | 007,990,848 | ---- | M] (KMP Media co.,Ltd) -- C:\Program Files (x86)\The KMPlayer\KMPlayer.exe PRC - [2012.08.16 03:47:40 | 000,348,664 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe PRC - [2012.05.08 13:58:23 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe PRC - [2012.05.08 13:58:22 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe PRC - [2011.12.21 16:40:56 | 000,578,264 | ---- | M] (Pandora.TV) -- C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe PRC - [2011.05.24 11:33:30 | 001,840,128 | ---- | M] (MAGIX AG) -- C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe PRC - [2011.01.17 19:50:34 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe PRC - [2011.01.17 19:50:34 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin PRC - [2010.07.09 23:45:00 | 000,984,400 | ---- | M] (Virage Logic Corporation / Sonic Focus) -- C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe ========== Modules (No Company Name) ========== MOD - [2013.04.04 13:40:18 | 003,143,576 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll MOD - [2013.03.14 13:51:47 | 014,717,144 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll MOD - [2013.01.18 09:47:48 | 004,548,096 | ---- | M] () -- C:\Program Files (x86)\The KMPlayer\libcodec.dll MOD - [2012.10.31 10:59:32 | 000,538,112 | ---- | M] () -- C:\Program Files (x86)\The KMPlayer\libmplay.dll MOD - [2012.01.10 13:38:50 | 000,170,496 | ---- | M] () -- C:\Program Files (x86)\OpenOffice.org 3\program\libxslt.dll MOD - [2012.01.10 13:38:49 | 000,985,088 | ---- | M] () -- C:\Program Files (x86)\OpenOffice.org 3\program\libxml2.dll MOD - [2011.11.02 00:26:32 | 000,087,912 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll MOD - [2011.11.02 00:26:12 | 001,242,472 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll MOD - [2010.06.15 18:17:12 | 003,828,736 | ---- | M] () -- C:\Program Files (x86)\ffdshow\ffdshow.ax MOD - [2008.12.05 09:42:30 | 000,123,036 | ---- | M] () -- C:\Program Files (x86)\The KMPlayer\libmad.dll MOD - [2008.02.25 08:05:28 | 000,288,256 | ---- | M] () -- C:\Program Files (x86)\The KMPlayer\Plugins\in_wm.dll MOD - [2008.02.25 08:05:28 | 000,231,424 | ---- | M] () -- C:\Program Files (x86)\The KMPlayer\Plugins\in_vorbis.dll MOD - [2008.02.25 08:05:28 | 000,179,200 | ---- | M] () -- C:\Program Files (x86)\The KMPlayer\Plugins\in_nsv.dll MOD - [2008.02.25 08:05:24 | 000,646,656 | ---- | M] () -- C:\Program Files (x86)\The KMPlayer\Plugins\IN_MP3.DLL MOD - [2008.02.25 08:05:24 | 000,073,728 | ---- | M] () -- C:\Program Files (x86)\The KMPlayer\Plugins\in_mp4.dll MOD - [2008.02.25 08:05:16 | 000,018,944 | ---- | M] () -- C:\Program Files (x86)\The KMPlayer\Plugins\gen_hotkeys.dll ========== Services (SafeList) ========== SRV:64bit: - [2011.11.10 05:11:32 | 000,204,288 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility) SRV:64bit: - [2011.11.09 23:08:52 | 000,361,984 | ---- | M] (Advanced Micro Devices, Inc.) [Auto | Running] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe -- (AMD FUEL Service) SRV - [2013.04.04 13:40:23 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2013.04.03 18:17:32 | 000,474,112 | ---- | M] () [Auto | Stopped] -- C:\Program Files (x86)\SoftwareUpdater\SystemStore.exe -- (SystemStoreService) SRV - [2013.03.14 13:51:48 | 000,253,656 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2012.05.08 13:58:23 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2012.05.08 13:58:22 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2011.12.21 16:40:56 | 000,578,264 | ---- | M] (Pandora.TV) [Auto | Running] -- C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe -- (PanService) SRV - [2011.05.24 11:33:30 | 001,840,128 | ---- | M] (MAGIX AG) [Auto | Running] -- C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe -- (Fabs) SRV - [2011.04.26 14:54:12 | 002,702,848 | ---- | M] (MAGIX®) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe -- (FirebirdServerMAGIXInstance) SRV - [2010.03.18 14:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2009.06.10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) ========== Driver Services (SafeList) ========== DRV:64bit: - [2013.02.22 03:53:00 | 000,042,184 | ---- | M] (Anchorfree Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\taphss6.sys -- (taphss6) DRV:64bit: - [2012.08.01 20:13:40 | 000,038,632 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\taphss.sys -- (taphss) DRV:64bit: - [2012.06.23 13:41:00 | 000,283,200 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\dtsoftbus01.sys -- (dtsoftbus01) DRV:64bit: - [2012.05.27 15:52:29 | 000,118,400 | ---- | M] (VSO Software) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ezplay.sys -- (ezplay) DRV:64bit: - [2012.05.08 13:58:23 | 000,132,832 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avipbb.sys -- (avipbb) DRV:64bit: - [2012.05.08 13:58:23 | 000,098,848 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\avgntflt.sys -- (avgntflt) DRV:64bit: - [2012.03.01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:64bit: - [2011.12.19 16:41:32 | 000,029,288 | ---- | M] (Wondershare) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WsAudio_DeviceS(5).sys -- (WsAudio_DeviceS(5) DRV:64bit: - [2011.12.19 16:41:32 | 000,029,288 | ---- | M] (Wondershare) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WsAudio_DeviceS(4).sys -- (WsAudio_DeviceS(4) DRV:64bit: - [2011.12.19 16:41:32 | 000,029,288 | ---- | M] (Wondershare) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WsAudio_DeviceS(3).sys -- (WsAudio_DeviceS(3) DRV:64bit: - [2011.12.19 16:41:32 | 000,029,288 | ---- | M] (Wondershare) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WsAudio_DeviceS(2).sys -- (WsAudio_DeviceS(2) DRV:64bit: - [2011.12.19 16:41:32 | 000,029,288 | ---- | M] (Wondershare) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WsAudio_DeviceS(1).sys -- (WsAudio_DeviceS(1) DRV:64bit: - [2011.12.15 16:00:00 | 000,027,760 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avkmgr.sys -- (avkmgr) DRV:64bit: - [2011.11.10 05:45:30 | 010,567,680 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag) DRV:64bit: - [2011.11.10 04:12:44 | 000,325,632 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap) DRV:64bit: - [2011.08.02 18:38:56 | 000,051,712 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64) DRV:64bit: - [2011.06.26 02:56:44 | 000,033,888 | ---- | M] (Applian Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\appliand.sys -- (appliandMP) DRV:64bit: - [2011.06.26 02:56:44 | 000,033,888 | ---- | M] (Applian Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\appliand.sys -- (appliand) DRV:64bit: - [2011.03.07 12:22:46 | 002,228,736 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr) DRV:64bit: - [2011.03.04 17:16:20 | 000,436,840 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167) DRV:64bit: - [2011.01.15 18:21:04 | 000,036,352 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VClone.sys -- (VClone) DRV:64bit: - [2010.11.20 15:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2010.11.20 15:32:47 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2010.11.20 15:32:46 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2010.11.20 13:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:64bit: - [2010.11.04 12:52:54 | 000,038,016 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amd_xata.sys -- (amd_xata) DRV:64bit: - [2010.11.04 12:52:52 | 000,075,904 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amd_sata.sys -- (amd_sata) DRV:64bit: - [2010.02.18 10:18:24 | 000,046,136 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\amdiox64.sys -- (amdiox64) DRV:64bit: - [2009.07.14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009.07.14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009.07.14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009.06.10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009.06.10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009.06.10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:64bit: - [2009.06.10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV:64bit: - [2009.05.18 14:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM) DRV - [2009.07.14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com IE - HKLM\..\SearchScopes,DefaultScope = IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\..\SearchScopes\{819218B0-1380-4BA2-89C3-E1BCF2DF5D69}: "URL" = hxxp://u-search.net/?a=1&e=1&q={searchTerms} IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-21-3117137900-2794469432-700913142-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de IE - HKU\S-1-5-21-3117137900-2794469432-700913142-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0A 1F 46 DD EF C0 CD 01 [binary data] IE - HKU\S-1-5-21-3117137900-2794469432-700913142-1000\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-21-3117137900-2794469432-700913142-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKU\S-1-5-21-3117137900-2794469432-700913142-1000\..\SearchScopes\{605D08E1-0E4D-4DEC-B3BD-D982C37638F1}: "URL" = hxxp://de.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=827316&p={searchTerms} IE - HKU\S-1-5-21-3117137900-2794469432-700913142-1000\..\SearchScopes\{819218B0-1380-4BA2-89C3-E1BCF2DF5D69}: "URL" = hxxp://u-search.net/?a=1&e=1&q={searchTerms} IE - HKU\S-1-5-21-3117137900-2794469432-700913142-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-3117137900-2794469432-700913142-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = ftp=204.124.180.101:3128;http=204.124.180.101:3128;https=204.124.180.101:3128;socks=204.124.180.101:3128 ========== FireFox ========== FF - prefs.js..browser.search.defaultenginename,S: S", "" FF - prefs.js..browser.search.defaultthis.engineName: "" FF - prefs.js..browser.search.order.1,S: S", "" FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=827316&ilc=12" FF - prefs.js..browser.search.selectedEngine: "Google" FF - prefs.js..browser.search.selectedEngine,S: S", "" FF - prefs.js..extensions.enabledAddons: %7Bb749fc7c-e949-447f-926c-3f4eed6accfe%7D:0.7.1.1 FF - prefs.js..extensions.enabledAddons: unplug%40compunach:2.054 FF - prefs.js..extensions.enabledAddons: foxyproxy%40eric.h.jung:4.2 FF - prefs.js..extensions.enabledAddons: groovesharkUnlocker%40overlord1337:1.3.2 FF - prefs.js..extensions.enabledAddons: %7Bb9db16a4-6edc-47ec-a1f4-b86292ed211d%7D:4.9.14 FF - prefs.js..extensions.enabledAddons: addon%40foxtab.com:1.4.51 FF - prefs.js..extensions.enabledAddons: ich%40maltegoetz.de:1.4.8 FF - prefs.js..extensions.enabledAddons: adonis.cuhk%40gmail.com:1.8.5 FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:20.0 FF - user.js - File not found FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_6_602_180.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products Ltd.) FF:64bit: - HKLM\Software\MozillaPlugins\@tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products Ltd.) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll () FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1168638.dll (Adobe Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll File not found FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.17.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=1.1.11: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (the VideoLAN Team) FF - HKCU\Software\MozillaPlugins\@phonostar.de/phonostar: C:\Program Files (x86)\phonostar-Player\npphonostarDetectNP.dll File not found FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013.04.04 13:40:28 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.4\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2013.03.14 22:01:32 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.4\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 20.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013.04.04 13:40:28 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 20.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Thunderbird 17.0.4\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2013.03.14 22:01:32 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Thunderbird 17.0.4\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins [2011.12.31 13:50:44 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Extensions [2013.04.08 18:13:21 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\e0e7iwdh.default\extensions [2013.02.23 17:43:06 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\e0e7iwdh.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2013.04.03 23:24:32 | 000,000,000 | ---D | M] (FoxTab) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\e0e7iwdh.default\extensions\addon@foxtab.com [2013.02.17 19:32:24 | 000,000,000 | ---D | M] (FoxyProxy Standard) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\e0e7iwdh.default\extensions\foxyproxy@eric.h.jung [2013.04.06 10:21:36 | 000,000,000 | ---D | M] (ProxTube - Unblock YouTube) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\e0e7iwdh.default\extensions\ich@maltegoetz.de [2013.04.04 18:10:20 | 000,000,000 | ---D | M] (BRowsE2soave) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\e0e7iwdh.default\extensions\oyoe1-iea@vqtgk-aie.com [2013.04.08 18:13:21 | 000,005,781 | ---- | M] () (No name found) -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\e0e7iwdh.default\extensions\adonis.cuhk@gmail.com.xpi [2013.02.23 17:43:06 | 000,029,064 | ---- | M] () (No name found) -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\e0e7iwdh.default\extensions\groovesharkUnlocker@overlord1337.xpi [2013.01.28 19:32:37 | 000,142,907 | ---- | M] () (No name found) -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\e0e7iwdh.default\extensions\unplug@compunach.xpi [2013.03.14 16:35:17 | 000,552,809 | ---- | M] () (No name found) -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\e0e7iwdh.default\extensions\uriloader@pdf.js.xpi [2012.09.17 15:57:22 | 000,061,705 | ---- | M] () (No name found) -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\e0e7iwdh.default\extensions\{b749fc7c-e949-447f-926c-3f4eed6accfe}.xpi [2013.02.14 22:26:47 | 000,817,280 | ---- | M] () (No name found) -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\e0e7iwdh.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013.04.09 17:20:17 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions [2013.04.04 13:40:26 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll [2011.12.21 07:08:50 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.08.31 16:08:41 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml [2011.12.21 07:08:50 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml [2011.12.21 07:08:50 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml [2011.12.21 07:08:50 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml [2011.12.21 07:08:50 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml ========== Chrome ========== CHR - Extension: BRowsE2soave = C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Extensions\omijpafilmeabcfknpnecgdnmpooanie\1\ O1 HOSTS File: ([2013.04.09 18:06:58 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (FoxTab) - {4DF4AC8C-FFA8-40FF-91F0-EB8389314B78} - C:\Users\***\AppData\LocalLow\FoxTab\IE\FoxTab.dll (The FoxTab Team) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O4:64bit: - HKLM..\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe (Realtek Semiconductor) O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor) O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.) O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [SonicMasterTray] C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe (Virage Logic Corporation / Sonic Focus) O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.) O4 - Startup: C:\Users\***\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\***\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.) O4 - Startup: C:\Users\***\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe () O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3117137900-2794469432-700913142-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3117137900-2794469432-700913142-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000005 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.) O13 - gopher Prefix: missing O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.27.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{33E17A7B-286B-45FF-8D95-B8E47C0E083F}: DhcpNameServer = 192.168.27.1 O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013.04.09 22:24:43 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN [2013.04.09 18:47:16 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Roaming\Malwarebytes [2013.04.09 18:46:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2013.04.09 18:41:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java [2013.04.09 18:40:25 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Java [2013.04.09 18:13:14 | 000,000,000 | ---D | C] -- C:\Windows\temp [2013.04.09 17:49:01 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2013.04.09 17:49:01 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2013.04.09 17:49:00 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2013.04.09 17:48:38 | 000,000,000 | ---D | C] -- C:\Qoobox [2013.04.09 17:48:09 | 000,000,000 | ---D | C] -- C:\Windows\erdnt [2013.04.09 16:43:09 | 000,000,000 | ---D | C] -- C:\Users\***\Documents\Audible [2013.04.09 09:37:35 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\***\Desktop\OTL.exe [2013.04.07 15:10:41 | 000,000,000 | ---D | C] -- C:\Users\***\Documents\ConvertXToDVD [2013.04.04 18:11:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Fraps [2013.04.04 18:08:29 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Local\Google [2013.04.04 17:08:55 | 000,000,000 | ---D | C] -- C:\Fraps [2013.04.04 13:38:44 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox [2013.04.03 23:45:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Freemium TubeBox [2013.04.03 23:45:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Freemium [2013.04.03 23:14:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SelfUpdater [2013.04.03 22:33:32 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Local\IsolatedStorage [2013.04.03 22:32:46 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Roaming\Freemium [2013.04.03 22:32:44 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Local\Freemium TubeBox [2013.04.03 22:32:17 | 000,000,000 | ---D | C] -- C:\Users\***\Desktop\Freemium TubeBox 3.6.1 Portable [2013.04.03 20:43:53 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Roaming\Ashampoo [2013.04.03 20:43:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Ashampoo [2013.04.03 18:17:00 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Local\Freetec [2013.04.03 18:16:58 | 000,000,000 | ---D | C] -- C:\Users\***\Documents\TubeBox [2013.04.03 18:15:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SoftwareUpdater [2013.04.03 18:10:39 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Local\DownloadGuide [2013.03.14 22:01:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Thunderbird [2013.03.14 15:35:48 | 000,000,000 | ---D | C] -- C:\Users\***\Documents\Video deluxe 2013 [2013.03.14 15:35:46 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Roaming\MAGIX [2013.03.14 15:10:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MAGIX [2013.03.14 15:10:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\MAGIX Shared [2013.03.14 15:08:18 | 000,000,000 | ---D | C] -- C:\Programme (x86) [2013.03.14 15:06:52 | 000,000,000 | ---D | C] -- C:\ProgramData\MAGIX [2013.03.14 15:06:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\MAGIX Services [2013.03.14 15:06:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MSXML 4.0 [2012.05.27 15:52:29 | 000,118,400 | ---- | C] (VSO Software) -- C:\Users\***\AppData\Roaming\ezplay.sys ========== Files - Modified Within 30 Days ========== [2013.04.10 16:32:40 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013.04.10 16:20:45 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.04.10 07:54:43 | 000,018,481 | ---- | M] () -- C:\Users\***\Documents\Schriftliche Äußerung zum Sachverhalt.odt [2013.04.10 07:42:10 | 000,014,208 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013.04.10 07:42:10 | 000,014,208 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013.04.10 07:39:39 | 001,612,484 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2013.04.10 07:39:39 | 000,696,870 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2013.04.10 07:39:39 | 000,652,148 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2013.04.10 07:39:39 | 000,148,134 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2013.04.10 07:39:39 | 000,121,080 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2013.04.10 07:33:39 | 1292,673,024 | -HS- | M] () -- C:\hiberfil.sys [2013.04.09 22:24:26 | 000,000,370 | ---- | M] () -- C:\Windows\cedt.INI [2013.04.09 18:06:58 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts [2013.04.09 09:37:44 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\***\Desktop\OTL.exe [2013.04.09 09:31:16 | 000,000,188 | ---- | M] () -- C:\Users\***\defogger_reenable [2013.04.09 09:26:21 | 000,050,477 | ---- | M] () -- C:\Users\***\Desktop\Defogger.exe [2013.04.08 07:36:08 | 000,001,189 | ---- | M] () -- C:\Users\***\AppData\Roaming\vso_ts_preview.xml [2013.04.04 18:11:36 | 000,000,562 | ---- | M] () -- C:\Users\Public\Desktop\Fraps.lnk [2013.04.03 23:45:56 | 000,001,052 | ---- | M] () -- C:\Users\Public\Desktop\Freemium TubeBox.lnk [2013.04.03 23:36:16 | 000,001,049 | ---- | M] () -- C:\Users\***\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2013.04.03 23:35:49 | 000,001,015 | ---- | M] () -- C:\Users\***\Desktop\Dropbox.lnk [2013.03.18 16:31:02 | 000,942,027 | ---- | M] () -- C:\Users\***\Documents\Von Schengen nach Maastricht.odt [2013.03.18 08:07:31 | 000,294,099 | ---- | M] () -- C:\Users\***\Desktop\Von Schengen nach Maastricht.pdf [2013.03.15 21:16:25 | 268,259,728 | ---- | M] () -- C:\Users\***\Desktop\video.mp4 [2013.03.15 17:55:18 | 000,002,112 | ---- | M] () -- C:\Users\***\.recently-used.xbel [2013.03.15 17:49:11 | 000,210,913 | ---- | M] () -- C:\Users\***\Documents\Lissabonner Vertrag.jpg [2013.03.15 17:43:14 | 000,295,624 | ---- | M] () -- C:\Users\***\Documents\Lissabonner Vertrag.pdf [2013.03.15 17:19:38 | 000,062,320 | ---- | M] () -- C:\Users\***\Documents\Von Schengen nach Maastricht.pdf [2013.03.14 17:59:32 | 000,419,120 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT [2013.03.14 15:12:04 | 000,120,200 | ---- | M] () -- C:\Windows\SysWow64\DLLDEV32i.dll [2013.03.14 15:10:48 | 000,000,972 | ---- | M] () -- C:\Users\Public\Desktop\MAGIX Video deluxe 2013.lnk [2013.03.11 21:47:03 | 000,000,103 | -H-- | M] () -- C:\Users\***\Desktop\.~lock.deutschlisa.odt# [2013.03.11 18:19:52 | 006,388,093 | ---- | M] () -- C:\Users\***\Documents\Cannabis.odp ========== Files Created - No Company Name ========== [2013.04.09 17:49:01 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe [2013.04.09 17:49:01 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe [2013.04.09 17:49:01 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2013.04.09 17:49:00 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2013.04.09 17:49:00 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2013.04.09 09:31:16 | 000,000,188 | ---- | C] () -- C:\Users\***\defogger_reenable [2013.04.09 09:26:08 | 000,050,477 | ---- | C] () -- C:\Users\***\Desktop\Defogger.exe [2013.04.08 19:11:18 | 000,018,481 | ---- | C] () -- C:\Users\***\Documents\Schriftliche Äußerung zum Sachverhalt.odt [2013.04.04 18:11:36 | 000,000,562 | ---- | C] () -- C:\Users\Public\Desktop\Fraps.lnk [2013.04.03 23:45:56 | 000,001,052 | ---- | C] () -- C:\Users\Public\Desktop\Freemium TubeBox.lnk [2013.03.18 08:07:27 | 000,294,099 | ---- | C] () -- C:\Users\***\Desktop\Von Schengen nach Maastricht.pdf [2013.03.15 19:49:55 | 268,259,728 | ---- | C] () -- C:\Users\***\Desktop\video.mp4 [2013.03.15 17:55:18 | 000,002,112 | ---- | C] () -- C:\Users\***\.recently-used.xbel [2013.03.15 17:43:09 | 000,295,624 | ---- | C] () -- C:\Users\***\Documents\Lissabonner Vertrag.pdf [2013.03.15 17:38:10 | 000,210,913 | ---- | C] () -- C:\Users\***\Documents\Lissabonner Vertrag.jpg [2013.03.15 17:10:22 | 000,062,320 | ---- | C] () -- C:\Users\***\Documents\Von Schengen nach Maastricht.pdf [2013.03.14 17:40:20 | 000,942,027 | ---- | C] () -- C:\Users\***\Documents\Von Schengen nach Maastricht.odt [2013.03.14 15:10:48 | 000,000,972 | ---- | C] () -- C:\Users\Public\Desktop\MAGIX Video deluxe 2013.lnk [2013.03.11 21:47:03 | 000,000,103 | -H-- | C] () -- C:\Users\***\Desktop\.~lock.deutschlisa.odt# [2013.03.11 18:19:41 | 006,388,093 | ---- | C] () -- C:\Users\***\Documents\Cannabis.odp [2012.12.01 15:34:13 | 000,000,244 | ---- | C] () -- C:\Users\***\.swfinfo [2012.11.08 18:27:35 | 000,237,568 | ---- | C] () -- C:\Windows\SysWow64\rmc_rtspdl.dll [2012.09.29 09:49:55 | 000,107,520 | RHS- | C] () -- C:\Windows\SysWow64\TAKDSDecoder.dll [2012.09.23 18:20:56 | 000,001,189 | ---- | C] () -- C:\Users\***\AppData\Roaming\vso_ts_preview.xml [2012.09.11 18:56:48 | 000,000,024 | ---- | C] () -- C:\Windows\Medi8or.ini [2012.09.11 18:56:36 | 000,001,304 | ---- | C] () -- C:\Windows\mediator.dat [2012.08.10 19:15:22 | 000,000,142 | ---- | C] () -- C:\Windows\SIERRA.INI [2012.06.16 17:31:43 | 000,000,040 | -HS- | C] () -- C:\ProgramData\.zreglib [2012.05.27 15:52:29 | 000,099,384 | ---- | C] () -- C:\Users\***\AppData\Roaming\inst.exe [2012.05.27 15:52:29 | 000,007,833 | ---- | C] () -- C:\Users\***\AppData\Roaming\ezplay.cat [2012.05.27 15:52:29 | 000,001,126 | ---- | C] () -- C:\Users\***\AppData\Roaming\ezplay.inf [2012.05.27 15:52:29 | 000,000,125 | ---- | C] () -- C:\Users\***\AppData\Roaming\ezplay.ini [2012.05.20 12:13:14 | 000,000,521 | ---- | C] () -- C:\Windows\eReg.dat [2012.04.09 19:43:38 | 000,004,608 | ---- | C] () -- C:\Users\***\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2012.02.26 12:27:34 | 000,032,256 | ---- | C] () -- C:\Windows\SysWow64\AVSredirect.dll [2012.02.05 18:51:36 | 001,590,378 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2012.01.04 19:29:02 | 000,000,370 | ---- | C] () -- C:\Windows\cedt.INI [2012.01.04 03:06:23 | 000,108,032 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll [2012.01.02 20:28:49 | 000,006,160 | ---- | C] () -- C:\Users\***\AppData\Roaming\gd.db [2012.01.02 20:28:49 | 000,000,242 | ---- | C] () -- C:\Users\***\AppData\Roaming\groovedown.settings [2011.12.31 20:40:04 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin [2011.11.10 04:36:06 | 000,204,960 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat [2011.11.10 04:36:06 | 000,157,152 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat [2011.11.09 23:39:44 | 000,059,904 | ---- | C] () -- C:\Windows\SysWow64\OpenVideo.dll [2011.11.09 23:39:32 | 000,054,784 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll [2011.09.13 01:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat ========== ZeroAccess Check ========== [2009.07.14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2012.06.09 07:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 06:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.20 14:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] ========== LOP Check ========== [2012.02.26 18:34:04 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\AnvSoft [2013.04.03 20:43:53 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Ashampoo [2013.02.22 23:34:11 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Audacity [2013.03.06 12:57:09 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\avidemux [2012.05.20 11:10:41 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Canneverbe Limited [2012.11.09 17:34:18 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\DAEMON Tools Lite [2012.12.16 15:57:39 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Dev-Cpp [2012.09.22 10:33:33 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Digiarty [2013.04.10 07:34:59 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Dropbox [2012.12.04 16:47:32 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\DVDVideoSoft [2012.11.08 13:01:41 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\EurekaLog [2013.04.07 01:54:05 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\FileZilla [2013.04.03 23:45:19 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Freemium [2012.12.17 15:10:09 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\FreeMoviesToDVD [2012.09.12 22:40:58 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Groovedown_Uninstall [2013.03.15 17:55:18 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\gtk-2.0 [2012.06.16 15:20:06 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\ImgBurn [2012.01.02 20:28:49 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\lang [2013.03.14 15:35:58 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\MAGIX [2012.01.10 13:45:27 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\OpenOffice.org [2012.10.21 00:05:48 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\phonostar GmbH [2012.11.08 13:17:01 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Replay Media Catcher 4 [2012.01.10 14:48:33 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Thunderbird [2013.04.08 06:45:29 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Vso ========== Purity Check ========== < End of report > |
|
10.04.2013, 16:52
| #8 |
| /// TB-Ausbilder | Click to Continue > by Browse to to Save und http://searchiu.com/?affil=141 Startseite - Malware Fix mit OTL
__________________ Digitale Freibeuter gegen Malware! Keine Hilfe per PM! |
|
10.04.2013, 17:19
| #9 |
| | Click to Continue > by Browse to to Save und http://searchiu.com/?affil=141 Startseite - Malware OTL-Fixlogfile: Code:
ATTFilter All processes killed
========== FILES ==========
C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Extensions\omijpafilmeabcfknpnecgdnmpooanie\1 folder moved successfully.
C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Extensions\omijpafilmeabcfknpnecgdnmpooanie folder moved successfully.
C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\e0e7iwdh.default\extensions\oyoe1-iea@vqtgk-aie.com\content folder moved successfully.
C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\e0e7iwdh.default\extensions\oyoe1-iea@vqtgk-aie.com folder moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: ***
->Temp folder emptied: 1017711 bytes
->Temporary Internet Files folder emptied: 2758733 bytes
->Java cache emptied: 8551977 bytes
->FireFox cache emptied: 197014499 bytes
->Flash cache emptied: 54763 bytes
User: Public
->Temp folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4654 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 85163 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 200,00 mb
OTL by OldTimer - Version 3.2.69.0 log created on 04102013_180922
Files\Folders moved on Reboot...
C:\Users\***\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
PendingFileRenameOperations files...
Registry entries deleted on Reboot...
|
|
10.04.2013, 19:14
| #10 |
| /// TB-Ausbilder | Click to Continue > by Browse to to Save und http://searchiu.com/?affil=141 Startseite - Malware Prima! Damit wären wir fertig. Wir räumen jetzt noch ein wenig auf und dann habe ich am Ende etwas Lesestoff für dich. Schritt 1: Tools deinstallieren Die Reihenfolge ist hier entscheidend.
Schritt 2: ESET deinstallieren (Optional)
Abschließend noch Tipps zu folgenden Themen:
Lesestoff:Systemupdates Man kann es gar nicht oft genug erwähnen, wie wichtig es ist, sein System aktuell zu halten. Dein Auto bringst du ja auch regelmässig zur Inspektion in die Werkstatt. Stelle also bitte sicher, dass die Systemupdates aktiviert sind:
Lesestoff:Softwareupdates Ebenso wichtig wie die Systemprogramme ist auch die Software, die du täglich nutzt. Die folgende Liste gibt dir einen kleinen Überblick mit Links zu den Updates, welche Programme dringend aktuell gehalten werden müssen (falls du sie überhaupt installiert hast und nutzt), weil durch deren Sicherheitslücken oft Malware auf die Computer gelangen kann:
Lesestoff:Sicherheitssoftware Würde dich jemand nackt auf dem Motorrad auf der Autobahn überholen würdest du auch den Kopf schütteln. Dein Computer braucht auch einen Schutz vor den täglichen kleinen Angriffen durch Schädlinge. Neben hervorragenden kommerziellen Anti-Viren-Lösungen gibt es auch durchaus gute Schutzprogramme, die kostenfrei mit reduziertem Funktionsumfang erhältlich sind. Aber vorsicht, hier gilt nicht "je mehr desto besser". Was du brauchst ist genau einen Virenscanner mit Hintergrundwächter. Nicht mehr und nicht weniger. Es gibt hier viele Produkte auf dem Markt, die einem gute Dienste leisten. Ich persönlich empfehle dir Avast Free Antivirus. Es bietet relativ guten Schutz, bei wenig nerviger Werbung und installiert dir ein Browserplugin, das dich vor gefährlichen Webseiten warnt.
 Lesestoff:Sicheres Surfen Zunächst muss man sagen, dass es üblicherweise immer der menschliche Faktor ist, der es Malware ermöglicht auf einen Computer zu gelangen. Kaufst du Leuten, die an deiner Haustür klingeln, auch sofort ohne nachzudenken irgendwelches Zeug ab? Gewöhne dir daher zunächst einige Verhaltensregeln beim Surfen im Internet an:
Aber selbst bei der peinlichen Einhaltung dieser Regeln kann es dennoch zu einer sogenannten Drive-By-Infektion kommen, bei der ein Schädling aus dem Schutzmechanismus des Webbrowsers ausbricht. Um die Sicherheit noch weiter zu erhöhen gibt es spezielle Schutzsoftware, die deinen Browser noch weiter absichert.
Zuletzt denke bitte über die Benutzung eines alternativen Browsers nach. Programme, die nicht so oft verwendet werden, sind auch nicht so sehr im Focus der "bösen Jungs". D.h. du bist mit einem exotischen Browser eher auf der sicheren Seite. Grundsätzlich bist du erst einmal deutlich sicherer, wenn du nicht den Internet Explorer benutzt.
Damit wünsche ich dir noch viel Spaß beim Surfen im Internet ... und vielleicht möchtest du ja das Trojaner-Board unterstützen? Eine Bitte: Gib mir eine kurze Rückmeldung, wenn alles erledigt ist und keine Fragen mehr vorhanden sind, damit ich diesen Thread aus meinen Abos löschen kann.
__________________ Digitale Freibeuter gegen Malware! Keine Hilfe per PM! |
|
10.04.2013, 21:42
| #11 |
| |  Click to Continue > by Browse to to Save und http://searchiu.com/?affil=141 Startseite - Malware Hab alles erledigt und gelesen. Virus scheint weg zu sein. Ich bin dir echt unglaublich dankbar, dass du dich - in deiner Freizeit - so schnell um mein Virenproblem gekümmert (und beseitigt) hast  |
|
11.04.2013, 08:31
| #12 |
| /// TB-Ausbilder | Click to Continue > by Browse to to Save und http://searchiu.com/?affil=141 Startseite - Malware Schön, dass wir helfen konnten  Dieses Thema scheint erledigt und wird aus meinen Abos gelöscht. Solltest Du das Thema erneut brauchen schicke mir bitte eine PM. Jeder andere bitte hier klicken und einen eigenen Thread erstellen Falls du noch Lob oder Kritik loswerden möchtest, dann gibt es diesen Bereich hier: http://www.trojaner-board.de/lob-kritik-wuensche/
__________________ Digitale Freibeuter gegen Malware! Keine Hilfe per PM! |
|
| Themen zu Click to Continue > by Browse to to Save und http://searchiu.com/?affil=141 Startseite - Malware |
| any video converter, application/pdf:, browse to save, continue, converter, downloader, flash player, focus, freemium, hotspot, html/scrinject.b.gen, installation, jdownloader, msiexec.exe, pdfforge toolbar, plug-in, searchiu, searchiu.com, softwareupdater, super, svchost.exe, tracker, trojan.startpage, unterstrichen, win32/adware.multiplug.h, win32/adware.multiplug.i, windows, wlansvc |
Textbox.
+ R Taste und kopiere folgenden Text in das Ausführen-Fenster und klicke OK.
Linear-Darstellung
