| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Infektion durch Exploit mit sdra64.exeWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
| |
28.04.2010, 05:45
| #1 |
 |  Infektion durch Exploit mit sdra64.exe Hallo zusammen, gestern Abend meldete sich AVIRA plötzlich bei mir mit dem Fund mehrerer Trojaner. Zuvor hatte sich beim Surfen ein PopUP-Fenster geöffnet. Ich meine, es war zu diesem Zeitpunkt Java aktiv. Ich habe die betreffenden Dateien zunächst einmal mit AVIRA in Quarantäne verschoben und Firefox geschlossen. Erst nachdem ich dem Browser geschlossen hatte, kamen keine weiteren AVIRA Meldungen hinzu. Um zu überprüfen, ob sich etwas auf dem Rechner festsetzen konnte, habe ich verschiedene Scans durchgeführt. Dabei ist mir im Autostart die Datei SDRA64.exe aufgefallen. Bei Recherchen habe ich erfahren, dass diese bei Infektionen oft im Zusammenhang mit dem Verzeichnis C:\Users\***\AppData\Roaming\lowsec auftritt. Auch dieses habe ich gefunden. Zunächst eine Frage: Hijackthis zeigt mir im Protokoll neben dem Verzeichnis C:\Users\***\AppData\Roaming\lowsec die Uhrzeit 2010-04-27 23:05:48 an. Diese korrespondiert mit dem von mir Eingangs geschilderten Vorfall. Gehe ich recht in der Annahme, dass die im Hijackthis-Protokoll angegebene Uhrzeit das Erstelldatum des Verzeichnisses ist. Dies wäre für mich insofern wichtig, als dass ich dann wüsste, seit wann der Rechner kompromittiert ist. Ich würde zunächst gern den Versuch unternehmen, die Infektion zu beseitigen. Dafür möchte ich um Eure Hilfe bitten. Anbei die Protokolldateien der von Euch vorgeschlagenen Tools. Schon im Voraus vielen Dank für Euer Hilfe! 1. Scan mit Malwarebytes Code:
ATTFilter Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Datenbank Version: 4043
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904
28.04.2010 05:24:11
mbam-log-2010-04-28 (05-24-11).txt
Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 107475
Laufzeit: 5 Minute(n), 4 Sekunde(n)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 1
Infizierte Registrierungswerte: 1
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 3
Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit (Trojan.Downloader) -> Quarantined and deleted successfully.
Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)
Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)
Infizierte Dateien:
C:\Users\***\AppData\Roaming\sdra64.exe (Trojan.Downloader) -> Delete on reboot.
C:\Users\***\AppData\Local\Temp\B574.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\rknfl.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
Code:
ATTFilter Logfile of random's system information tool 1.06 (written by random/random) Run by *** at 2010-04-28 05:38:13 Microsoft® Windows Vista™ Home Premium Service Pack 2 System drive C: has 6 GB (9%) free of 70 GB Total RAM: 3069 MB (61% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 05:38:14, on 28.04.2010 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v8.00 (8.00.6001.18904) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Windows\OEM04Mon.exe C:\Program Files\Dell\MediaDirect\PCMService.exe C:\Windows\WindowsMobile\wmdc.exe C:\Program Files\FreePDF_XP\fpassist.exe C:\Windows\System32\rundll32.exe C:\Program Files\Protector Suite QL\psqltray.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Program Files\Dell Support Center\bin\sprtcmd.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe C:\Windows\System32\mobsync.exe C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe C:\Windows\Samsung\PanelMgr\SSMMgr.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\ehome\ehtray.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE C:\Program Files\Windows Sidebar\sidebar.exe c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe C:\Program Files\Synaptics\SynTP\SynTPHelper.exe C:\Windows\system32\wuauclt.exe C:\Windows\system32\SearchFilterHost.exe C:\Logfiles\RIST\RSIT.exe C:\Program Files\trend micro\***.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = ht*p://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = ht*p://w*w.google.de/ig/dell?hl=de&client=dell-row&channel=de&ibd=2080614 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = ht*p://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = ht*p://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = ht*p://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = ht*p://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer bereitgestellt von Dell R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: Copernic Desktop Search - Home Toolbar - {4A1C6093-14F9-44D7-860E-5D265CFCA9D9} - C:\Program Files\Copernic Desktop Search 2\Toolbar\ToolbarContainer101000315.dll O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [OEM04Mon.exe] C:\Windows\OEM04Mon.exe O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe" O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe O4 - HKLM\..\Run: [FreePDF Assistant] C:\Program Files\FreePDF_XP\fpassist.exe O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" O4 - HKLM\..\Run: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\SSMMgr.exe /autorun O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [ Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [Google Update] "C:\Users\***\AppData\Local\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [CAHeadless] C:\Program Files\Adobe\Elements Organizer 8.0\CAHeadless\ElementsAutoAnalyzer.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [Copernic Desktop Search - Home] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST') O4 - Startup: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: VPN Client.lnk = ? O8 - Extra context menu item: Bild an &Bluetooth-Gerät senden... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Seite an &Bluetooth-Gerät senden... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O13 - Gopher Prefix: O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - ht*p://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: CyberGhost VPN Client (CGVPNCliSrvc) - mobile concepts GmbH - C:\Program Files\S.A.D\CyberGhost VPN\CGVPNCliService.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- End of file - 12557 bytes ======Scheduled tasks folder====== C:\Windows\tasks\Google Software Updater.job C:\Windows\tasks\GoogleUpdateTaskMachineCore.job C:\Windows\tasks\GoogleUpdateTaskMachineUA.job C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3826523839-2789248197-4283208726-1000Core.job C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3826523839-2789248197-4283208726-1000UA.job C:\Windows\tasks\User_Feed_Synchronization-{7FF4690D-8C45-4E55-AB6D-D51659463958}.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}] AskBar BHO - C:\Program Files\AskBarDis\bar\bin\askBar.dll [2008-11-18 333192] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}] Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}] Windows Live Anmelde-Hilfsprogramm - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}] Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-03-26 668656] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}] CBrowserHelperObject Object - C:\Program Files\Dell\BAE\BAE.dll [2006-11-09 98304] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CC59E0F9-7E43-44FA-9FAA-8377850BF205}] FDMIECookiesBHO Class - C:\Program Files\Free Download Manager\iefdm2.dll [2007-11-26 94208] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}] Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-04-12 41760] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {4A1C6093-14F9-44D7-860E-5D265CFCA9D9} - Copernic Desktop Search - Home Toolbar - C:\Program Files\Copernic Desktop Search 2\Toolbar\ToolbarContainer101000315.dll [2010-02-02 2306448] {3041d03e-fd4b-44e0-b742-2d9b88305f98} - Foxit Toolbar - C:\Program Files\AskBarDis\bar\bin\askBar.dll [2008-11-18 333192] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184] "SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2007-10-27 1029416] "OEM04Mon.exe"=C:\Windows\OEM04Mon.exe [2007-12-03 36864] "PSQLLauncher"=C:\Program Files\Protector Suite QL\launcher.exe [2007-03-28 49168] "PCMService"=C:\Program Files\Dell\MediaDirect\PCMService.exe [2007-12-21 184320] "Windows Mobile Device Center"=C:\Windows\WindowsMobile\wmdc.exe [2007-05-31 648072] "FreePDF Assistant"=C:\Program Files\FreePDF_XP\fpassist.exe [2007-06-26 312320] "NvSvc"=C:\Windows\system32\nvsvc.dll [2007-09-25 86016] "NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2007-09-25 8478720] "NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2007-09-25 81920] "NVHotkey"=C:\Windows\system32\nvHotkey.dll [2007-09-25 81920] "DellSupportCenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2009-05-21 206064] "dscactivate"=C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [2008-03-11 16384] "GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072] "avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153] "SigmatelSysTrayApp"=C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe [2008-01-02 405504] "TrueImageMonitor.exe"=C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [2009-05-15 4393112] "AcronisTimounterMonitor"=C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe [2009-05-15 962640] "Acronis Scheduler2 Service"=C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe [2009-05-15 377640] "Samsung PanelMgr"=C:\Windows\Samsung\PanelMgr\SSMMgr.exe [2008-08-13 536576] "SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-02-18 248040] " Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2010-03-29 1086856] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-04-11 1233920] "ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952] "Google Update"=C:\Users\***\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-26 135664] "CAHeadless"=C:\Program Files\Adobe\Elements Organizer 8.0\CAHeadless\ElementsAutoAnalyzer.exe [2009-09-18 615808] "Skype"=C:\Program Files\Skype\\Phone\Skype.exe [2010-04-06 26102056] "WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-19 202240] "Copernic Desktop Search - Home"=C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe [2010-02-04 1594368] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe VPN Client.lnk - C:\Windows\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico C:\Users\***\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist] C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll [2008-06-13 10536] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\psfus] C:\Windows\system32\psqlpwd.dll [2007-03-28 90112] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "notification packages"=scecli psqlpwd [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\GoToAssist] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 "DisableCAD"=1 "EnableUIADesktopToggle"=0 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "BindDirectlyToPropertySetStorage"= [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7cbef948-2320-11df-a91b-001fe1dbf072}] shell\AutoRun\command - F:\ZEUS-Start.exe shell\zeus\command - F:\ZEUS-Start.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8b362ce-d817-11de-ba84-001fe1dbf072}] shell\AutoRun\command - F:\Menu.exe ======File associations====== .js - edit - C:\Windows\System32\Notepad.exe %1 .js - open - C:\Windows\System32\WScript.exe "%1" %* ======List of files/folders created in the last 1 months====== 2010-04-28 05:15:06 ----D---- C:\Users\***\AppData\Roaming\Malwarebytes 2010-04-28 05:14:28 ----D---- C:\ProgramData\Malwarebytes 2010-04-28 05:14:28 ----D---- C:\Program Files\Malwarebytes' Anti-Malware 2010-04-28 04:54:07 ----D---- C:\Logfiles 2010-04-28 03:55:20 ----A---- C:\Windows\ntbtlog.txt 2010-04-28 01:12:18 ----D---- C:\Config.Msi 2010-04-28 01:00:42 ----D---- C:\Program Files\CCleaner 2010-04-28 00:26:48 ----D---- C:\Program Files\trend micro 2010-04-28 00:26:46 ----D---- C:\rsit 2010-04-27 23:05:51 ----D---- C:\Users\***\AppData\Roaming\70FBC48EA6E9A4545597A45CAE42A3FA 2010-04-27 23:05:48 ----SHD---- C:\Users\***\AppData\Roaming\lowsec 2010-04-26 11:57:38 ----A---- C:\Windows\system32\deployJava1.dll 2010-04-26 11:57:37 ----A---- C:\Windows\system32\javaws.exe 2010-04-26 11:57:37 ----A---- C:\Windows\system32\javaw.exe 2010-04-26 11:57:37 ----A---- C:\Windows\system32\java.exe 2010-04-14 13:38:41 ----A---- C:\Windows\system32\iphlpsvc.dll 2010-04-14 13:38:39 ----A---- C:\Windows\system32\wintrust.dll 2010-04-14 13:38:34 ----A---- C:\Windows\system32\ntoskrnl.exe 2010-04-14 13:38:33 ----A---- C:\Windows\system32\ntkrnlpa.exe 2010-04-14 13:38:32 ----A---- C:\Windows\system32\vbscript.dll 2010-04-14 13:38:12 ----A---- C:\Windows\system32\cabview.dll 2010-04-01 04:03:38 ----D---- C:\ProgramData\Sun 2010-04-01 03:31:28 ----A---- C:\Windows\system32\mshtml.dll 2010-04-01 03:31:26 ----A---- C:\Windows\system32\ieframe.dll 2010-04-01 03:31:22 ----A---- C:\Windows\system32\urlmon.dll 2010-04-01 03:31:22 ----A---- C:\Windows\system32\iertutil.dll 2010-04-01 03:31:21 ----A---- C:\Windows\system32\wininet.dll 2010-04-01 03:31:21 ----A---- C:\Windows\system32\occache.dll 2010-04-01 03:31:21 ----A---- C:\Windows\system32\mstime.dll 2010-04-01 03:31:21 ----A---- C:\Windows\system32\msfeeds.dll 2010-04-01 03:31:21 ----A---- C:\Windows\system32\iedkcs32.dll 2010-04-01 03:31:19 ----A---- C:\Windows\system32\ieui.dll 2010-04-01 03:31:19 ----A---- C:\Windows\system32\iepeers.dll 2010-04-01 03:31:18 ----A---- C:\Windows\system32\msfeedssync.exe 2010-04-01 03:31:18 ----A---- C:\Windows\system32\msfeedsbs.dll 2010-04-01 03:31:18 ----A---- C:\Windows\system32\jsproxy.dll 2010-04-01 03:31:18 ----A---- C:\Windows\system32\ieUnatt.exe 2010-04-01 03:31:18 ----A---- C:\Windows\system32\iesysprep.dll 2010-04-01 03:31:18 ----A---- C:\Windows\system32\ie4uinit.exe 2010-04-01 03:31:17 ----A---- C:\Windows\system32\iesetup.dll 2010-04-01 03:31:17 ----A---- C:\Windows\system32\iernonce.dll 2010-03-29 03:10:39 ----D---- C:\Program Files\Common Files\Skype ======List of files/folders modified in the last 1 months====== 2010-04-28 05:38:13 ----D---- C:\Windows\Temp 2010-04-28 05:36:49 ----D---- C:\Windows\Prefetch 2010-04-28 05:34:10 ----D---- C:\Windows\System32 2010-04-28 05:34:10 ----D---- C:\Windows\inf 2010-04-28 05:34:10 ----A---- C:\Windows\system32\PerfStringBackup.INI 2010-04-28 05:28:48 ----D---- C:\Windows\Tasks 2010-04-28 05:26:14 ----D---- C:\Windows 2010-04-28 05:26:07 ----D---- C:\Windows\system32\drivers 2010-04-28 05:26:07 ----D---- C:\Windows\Microsoft.NET 2010-04-28 05:25:12 ----D---- C:\Users\***\AppData\Roaming\Free Download Manager 2010-04-28 05:14:28 ----RD---- C:\Program Files 2010-04-28 05:14:28 ----HD---- C:\ProgramData 2010-04-28 05:04:18 ----D---- C:\Downloads 2010-04-28 03:55:29 ----D---- C:\Windows\Minidump 2010-04-28 01:22:54 ----D---- C:\Windows\system32\catroot2 2010-04-28 01:19:31 ----D---- C:\ProgramData\Spybot - Search & Destroy 2010-04-28 01:19:13 ----D---- C:\Windows\Debug 2010-04-28 01:12:27 ----SHD---- C:\Windows\Installer 2010-04-28 01:12:24 ----D---- C:\Program Files\Google 2010-04-27 13:58:12 ----D---- C:\ProgramData\Google Updater 2010-04-26 11:57:35 ----D---- C:\Program Files\Java 2010-04-25 20:52:10 ----D---- C:\Users\***\AppData\Roaming\Skype 2010-04-25 16:13:27 ----D---- C:\Users\***\AppData\Roaming\skypePM 2010-04-16 14:41:10 ----D---- C:\Windows\system32\Tasks 2010-04-14 16:33:55 ----D---- C:\Windows\winsxs 2010-04-14 13:52:23 ----D---- C:\Windows\system32\catroot 2010-04-14 13:50:12 ----D---- C:\Program Files\Windows Mail 2010-04-14 13:44:31 ----D---- C:\ProgramData\Microsoft Help 2010-04-10 01:47:13 ----D---- C:\Users\***\AppData\Roaming\vlc 2010-04-08 00:13:35 ----D---- C:\Users\***\AppData\Roaming\gtk-2.0 2010-04-07 15:32:33 ----D---- C:\ProgramData\FreePDF 2010-04-06 19:52:54 ----A---- C:\Windows\system32\mrt.exe 2010-04-03 12:21:11 ----D---- C:\ProgramData\Roxio 2010-04-02 15:35:29 ----D---- C:\Program Files\Mozilla Firefox 2010-04-01 04:03:38 ----D---- C:\Program Files\Common Files\Java 2010-04-01 03:55:19 ----D---- C:\Program Files\Internet Explorer 2010-04-01 03:55:18 ----D---- C:\Windows\system32\migration 2010-03-31 18:50:46 ----D---- C:\Program Files\Mozilla Thunderbird 2010-03-29 03:10:39 ----D---- C:\Program Files\Common Files ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys [2009-02-13 11608] R1 avipbb;avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [2009-05-22 96104] R1 ssmdrv;ssmdrv; C:\Windows\system32\DRIVERS\ssmdrv.sys [2009-06-09 28520] R1 Uim_IM;UIM Drive Backup Image Plugin; C:\Windows\System32\Drivers\Uim_IM.sys [2007-11-06 131672] R1 UimBus;Universal Image Mounter Controller; C:\Windows\system32\DRIVERS\UimBus.sys [2007-11-06 32080] R2 avgntflt;avgntflt; C:\Windows\system32\DRIVERS\avgntflt.sys [2009-12-08 56816] R2 CVPNDRVA;Cisco Systems Inc. IPSec Driver; \??\C:\Windows\system32\Drivers\CVPNDRVA.sys [2008-04-17 306299] R2 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmptsk.sys [2007-02-28 32256] R2 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimsptsk.sys [2007-02-28 43520] R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2007-02-28 37376] R2 SSPORT;SSPORT; \??\C:\Windows\system32\Drivers\SSPORT.sys [2007-01-10 5120] R2 tifsfilter;Acronis True Image FS Filter; C:\Windows\system32\DRIVERS\tifsfilt.sys [2009-07-01 44704] R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-05-24 179712] R3 BthEnum;Bluetooth-Auflistungsdienst; C:\Windows\system32\DRIVERS\BthEnum.sys [2009-04-11 22528] R3 BthPan;Bluetooth-Gerät (PAN); C:\Windows\system32\DRIVERS\bthpan.sys [2008-01-19 92160] R3 BTHUSB;USB-Treiber für Bluetooth-Funkgerät; C:\Windows\System32\Drivers\BTHUSB.sys [2009-04-11 29696] R3 btwaudio;Bluetooth-Audiogerät; C:\Windows\system32\drivers\btwaudio.sys [2006-11-07 78128] R3 btwavdt;Bluetooth AVDT Service; C:\Windows\system32\drivers\btwavdt.sys [2006-11-07 80176] R3 btwrchid;btwrchid; C:\Windows\system32\DRIVERS\btwrchid.sys [2006-11-07 16560] R3 CmBatt;Treiber für Microsoft-ACPI-Kontrollmethodenkompatible Batterie; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-19 14208] R3 DNE;Deterministic Network Enhancer Miniport; C:\Windows\system32\DRIVERS\dne2000.sys [2008-03-29 125328] R3 NETw4v32;Intel(R) Wireless WiFi Link Adaptertreiber für Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-08-13 2226688] R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2007-09-25 7617600] R3 OEM04Vfx;Creative Camera OEM004 Video VFX Driver; C:\Windows\system32\DRIVERS\OEM04Vfx.sys [2007-12-03 7424] R3 OEM04Vid;Creative Camera OEM004 Driver; C:\Windows\system32\DRIVERS\OEM04Vid.sys [2007-12-03 234720] R3 RFCOMM;Bluetooth-Gerät (RFCOMM-Protokoll-TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2009-04-11 148992] R3 SbieDrv;SbieDrv; \??\C:\Program Files\Sandboxie\SbieDrv.sys [2009-09-30 116736] R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2009-04-11 89088] R3 STHDA;SigmaTel High Definition Audio CODEC; C:\Windows\system32\drivers\stwrt.sys [2008-01-02 330240] R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2007-10-27 193456] R3 tap0901;TAP-Win32 Adapter V9; C:\Windows\system32\DRIVERS\tap0901.sys [2009-12-12 25984] R3 TcUsb;TC USB Kernel Driver; C:\Windows\System32\Drivers\tcusb.sys [2008-10-10 50704] R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-19 11264] S2 DgiVecp;DgiVecp; \??\C:\Windows\system32\Drivers\DgiVecp.sys [2007-01-10 41984] S3 61883;61883-Einheitsgerät; C:\Windows\system32\DRIVERS\61883.sys [2008-01-19 45696] S3 Avc;AVC-Gerät; C:\Windows\system32\DRIVERS\avc.sys [2008-01-19 40448] S3 BDA_Capture_220;Digital TV receiver Driver 1.0.0.42; C:\Windows\System32\Drivers\BDA_Capture_220.sys [2005-08-29 14080] S3 BTHPORT;Bluetooth-Porttreiber; C:\Windows\System32\Drivers\BTHport.sys [2009-04-11 507904] S3 CVirtA;Cisco Systems VPN Adapter; C:\Windows\system32\DRIVERS\CVirtA.sys [2007-01-18 5275] S3 drmkaud;Microsoft Kernel-DRM-Audioentschlüsselung; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632] S3 e1express;Intel(R) PRO/1000 PCI Express-Netzwerkverbindungstreiber; C:\Windows\system32\DRIVERS\e1e6032.sys [2006-11-02 200704] S3 ECS_Loader_220;Digital TV Receiver Firmware Loader 5.10.31.0; C:\Windows\System32\Drivers\ECS_Loader_220.sys [2005-10-31 15616] S3 MSDV;Microsoft DV Camera and VCR; C:\Windows\system32\DRIVERS\msdv.sys [2008-01-19 52608] S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192] S3 MSPCLOCK;Microsoft Proxy für Streaming Clock; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888] S3 MSPQM;Microsoft Proxy für Streaming Quality Manager; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504] S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink-Konvertierung; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016] S3 R300;R300; C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 2028032] S3 sonypvs1;Sony Digital Imaging Video2; C:\Windows\system32\DRIVERS\sonypvs1.sys [2002-10-15 102220] S3 usb_rndisx;USB-RNDIS-Adapter; C:\Windows\system32\DRIVERS\usb8023x.sys [2009-04-11 15872] S3 usbaudio;USB-Audiotreiber (WDM); C:\Windows\system32\drivers\usbaudio.sys [2009-04-11 73216] S3 usbscan;USB-Scannertreiber; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328] S3 VClone;VClone; C:\Windows\system32\DRIVERS\VClone.sys [2008-09-24 29184] S3 WINUSB;WinUsb-Treiber; C:\Windows\system32\DRIVERS\WinUSB.SYS [2009-04-11 31616] S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2009-10-01 40448] S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 AcrSch2Svc;Acronis Scheduler2 Service; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [2009-05-15 619336] R2 AESTFilters;Andrea ST Filters Service; C:\Windows\system32\aestsrv.exe [2008-01-02 73728] R2 AntiVirSchedulerService;Avira AntiVir Planer; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-06-09 108289] R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-08-05 185089] R2 BthServ;@%SystemRoot%\System32\bthserv.dll,-101; C:\Windows\system32\svchost.exe [2008-01-19 21504] R2 CGVPNCliSrvc;CyberGhost VPN Client; C:\Program Files\S.A.D\CyberGhost VPN\CGVPNCliService.exe [2010-04-17 2391176] R2 CVPND;Cisco Systems, Inc. VPN Service; C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe [2008-04-17 1528608] R2 EvtEng;Intel(R) PROSet/Wireless Event Log; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2007-07-25 647168] R2 RapiMgr;@%windir%\WindowsMobile\rapimgr.dll,-104; C:\Windows\system32\svchost.exe [2008-01-19 21504] R2 RegSrvc;Intel(R) PROSet/Wireless Registry Service; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2007-07-25 327680] R2 SbieSvc;Sandboxie Service; C:\Program Files\Sandboxie\SbieSvc.exe [2009-09-30 65024] R2 SBSDWSCService;SBSD Security Center Service; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-07-07 809296] R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter); C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2008-08-14 201968] R2 STacSV;SigmaTel Audio Service; C:\Windows\system32\STacSV.exe [2008-01-02 102400] R2 WcesComm;@%windir%\WindowsMobile\wcescomm.dll,-40079; C:\Windows\system32\svchost.exe [2008-01-19 21504] S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-12-26 135664] S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-26 183280] S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-11-17 867080] S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 21504] S3 GoToAssist;GoToAssist; C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe [2008-06-13 16680] S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888] S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712] S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184] S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-12-02 74384] -----------------EOF----------------- 2a-2 RIST Log --> hier nochmal der urprüngliche Eintrag mit sdra64.exe im Autostart Code:
ATTFilter O4 - HKCU\..\Run: [userinit] C:\Users\***\AppData\Roaming\sdra64.exe
|
|
28.04.2010, 05:46
| #2 |
| | Infektion durch Exploit mit sdra64.exe - Part II 2b RIST Info
__________________Code:
ATTFilter info.txt logfile of random's system information tool 1.06 2010-04-28 05:38:15
======Uninstall list======
-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88564CEF-20A5-4EF2-A05F-309F2EBA9B06}\setup.exe" -l0x7
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1A5BA3E-9ABF-4037-820B-6151022B8ACB}\setup.exe" -l0x7
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x7
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5BA7C09-E523-478C-9C37-A1D86C76383E}\setup.exe" -l0x7
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F6366726-BA44-4D6A-8ECE-476E2E616AD1}\setup.exe" -l0x7
7-Zip 4.57-->"C:\Program Files\7-Zip\Uninstall.exe"
AC3Filter (remove only)-->C:\Program Files\AC3Filter\uninstall.exe
Acronis True Image Home-->MsiExec.exe /X{D1E0E859-F46D-4708-A41D-ED90C0C1822A}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Premiere Elements 8.0 Templates-->msiexec /I {17C4A35A-2041-42C0-8D10-DEF55B47BE56} REMOVEFROMARP=1
Adobe Premiere Elements 8.0 Templates-->MsiExec.exe /X{17C4A35A-2041-42C0-8D10-DEF55B47BE56}
Adobe Premiere Elements 8.0-->msiexec /I {A0E583D1-23F7-4C35-9620-B169D7715E4B} REMOVEPREFS=1
Adobe Premiere Elements 8.0-->MsiExec.exe /I{A0E583D1-23F7-4C35-9620-B169D7715E4B}
Adobe Premiere Elements Updater 3.0.2-->MsiExec.exe /I{C8D25596-7DD3-40EA-987A-4DA8BE5D65E5}
Adobe Shockwave Player 11.5-->"C:\Windows\system32\Adobe\Shockwave 11\uninstaller.exe"
Advanced Audio FX Engine-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88564CEF-20A5-4EF2-A05F-309F2EBA9B06}\setup.exe" -l0x7 /remove
Advanced Video FX Engine-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5BA7C09-E523-478C-9C37-A1D86C76383E}\setup.exe" -l0x7 /remove
AFPL Ghostscript 8.54-->C:\Program Files\gs\uninstgs.exe "C:\Program Files\gs\gs8.54\uninstal.txt"
AFPL Ghostscript Fonts-->C:\Program Files\gs\uninstgs.exe "C:\Program Files\gs\fonts\uninstal.txt"
Application Suite-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7683570-6FD5-4E58-A3B8-719C5B1AE295}\Setup.exe" -l0x7
Audiograbber 1.83 SE -->"C:\Program Files\Audiograbber\Uninstall.exe"
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
Biet-O-Matic v2.10.0a-->C:\PROGRA~1\BIET-O~1\UNWISE.EXE C:\PROGRA~1\BIET-O~1\install.log
Broadcom Management Programs-->MsiExec.exe /X{C99C0593-3B48-41D9-B42F-6E035B320449}
Browser Address Error Redirector-->MsiExec.exe /I{62230596-37E5-4618-A329-0D21F529A86F}
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
Chinese Traditional Fonts Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-2448-0000-800000000003}
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
Cisco Systems VPN Client 5.0.03.0530-->MsiExec.exe /X{4C271126-C295-4828-A901-5910AE0C258B}
Compatibility Pack für 2007 Office System-->MsiExec.exe /X{90120000-0020-0407-0000-0000000FF1CE}
Copernic Agent Personal-->"C:\Windows\CopernicAgentUninstall.exe" /ARGSFILE="C:\Program Files\Copernic Agent\unwise.dat"
Copernic Desktop Search - Home-->C:\Program Files\Copernic Desktop Search 2\uninst.exe
CyberGhost VPN Patch 4.5.17-->"C:\Program Files\S.A.D\CyberGhost VPN\unins000.exe"
Dell Handbuch zum Einstieg-->MsiExec.exe /I{FD023F61-65E9-465C-B558-7C64EB2B97E6}
Dell Support Center (Support Software)-->MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}
Dell Touchpad-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Dell Webcam Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1A5BA3E-9ABF-4037-820B-6151022B8ACB}\setup.exe" -l0x7 /remove
Dell Webcam Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F6366726-BA44-4D6A-8ECE-476E2E616AD1}\setup.exe" -l0x7 /remove
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Plus DirectShow Filters-->C:\Program Files\DivX\DivXDSFiltersUninstall.exe /DSFILTERS
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EDocs-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6B7B6D4D-8F9B-4CB3-8CA4-BCA9CC4C1A22}\setup.exe"
ElsterFormular 2007/2008-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B480BD2A-F1BA-4FE6-8C8E-34C6111B72C9}\setup.exe" -l0x7 -removeonly
ElsterFormular 2008/2009-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{04830D0F-F980-4EC0-89F1-594F2FD2A1B5}\setup.exe" -l0x7 -removeonly
EndNote X3-->MsiExec.exe /I{86B3F2D6-AC2B-4E88-8AE1-F2F77F781B0C}
Foxit Reader-->C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
Foxit Toolbar-->"C:\Program Files\AskBarDis\unins000.exe"
Free Download Manager 2.5-->"C:\Program Files\Free Download Manager\unins000.exe"
FreeCommander 2008.06-->"C:\Program Files\FreeCommander\unins000.exe"
FreePDF XP (Remove only)-->C:\Program Files\FreePDF_XP\fpsetup.exe /r
Gimp 2.6.0-->"C:\Program Files\GIMP-2.0\setup\unins001.exe"
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
GoToAssist 8.0.0.514-->C:\Program Files\Citrix\GoToAssist\514\G2AUninstaller.exe /uninstall
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Intel(R) PROSet/Wireless Software-->C:\Windows\Installer\iProInst.exe
Java(TM) 6 Update 20-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216017FF}
Java(TM) SE Runtime Environment 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Laptop Integrated Webcam Driver (1.03.01.1011) -->C:\Windows\CtDrvIns.exe -uninstall -script OEM004.uns -plugin OEM04Pin.dll -pluginres OEM04Pin.crl -nodisconprompt -langid 0x0407
Live! Cam Avatar Creator-->C:\Program Files\InstallShield Installation Information\{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}\setup.exe -runfromtemp -l0x0007 -removeonly /remove
Live! Cam Avatar-->C:\Program Files\InstallShield Installation Information\{1D5E29AD-39A9-4D0A-A8B6-46A6FCD8C995}\setup.exe -runfromtemp -l0x0007 -removeonly /remove
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
mCore-->MsiExec.exe /I{F5D7FAB5-A1FD-4DD3-983E-4155B09D7102}
MediaDirect-->C:\Program Files\InstallShield Installation Information\{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}\setup.exe -runfromtemp -l0x0007 -cluninstall
mHelp-->MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft – Speichern als PDF oder XPS – Add-In für 2007 Microsoft Office-Programme-->MsiExec.exe /X{90120000-00B2-0407-0000-0000000FF1CE}
Microsoft .NET Framework 3.5 Language Pack SP1 - DEU-->C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 Language Pack SP1 - deu\setup.exe
Microsoft .NET Framework 3.5 Language Pack SP1 - deu-->MsiExec.exe /I{052FDD78-A6EA-3187-8386-C82F4CA3A929}
Microsoft .NET Framework 3.5 SP1-->C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Image Composite Editor-->MsiExec.exe /I{78E804CC-A148-4C8F-AD46-0B476EFE34C2}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0015-0407-0000-0000000FF1CE} /uninstall {9BD40163-B95D-4B07-8991-0AB775B6D88B}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0407-0000-0000000FF1CE} /uninstall {9BD40163-B95D-4B07-8991-0AB775B6D88B}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0407-0000-0000000FF1CE} /uninstall {9BD40163-B95D-4B07-8991-0AB775B6D88B}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0019-0407-0000-0000000FF1CE} /uninstall {9BD40163-B95D-4B07-8991-0AB775B6D88B}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001A-0407-0000-0000000FF1CE} /uninstall {9BD40163-B95D-4B07-8991-0AB775B6D88B}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0407-0000-0000000FF1CE} /uninstall {9BD40163-B95D-4B07-8991-0AB775B6D88B}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0044-0407-0000-0000000FF1CE} /uninstall {9BD40163-B95D-4B07-8991-0AB775B6D88B}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0407-0000-0000000FF1CE} /uninstall {26454C26-D259-4543-AA60-3189E09C5F76}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00A1-0407-0000-0000000FF1CE} /uninstall {9BD40163-B95D-4B07-8991-0AB775B6D88B}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00BA-0407-0000-0000000FF1CE} /uninstall {9BD40163-B95D-4B07-8991-0AB775B6D88B}
Microsoft Office Access MUI (German) 2007-->MsiExec.exe /X{90120000-0015-0407-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (German) 2007-->MsiExec.exe /X{90120000-0016-0407-0000-0000000FF1CE}
Microsoft Office Groove MUI (German) 2007-->MsiExec.exe /X{90120000-00BA-0407-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (German) 2007-->MsiExec.exe /X{90120000-0044-0407-0000-0000000FF1CE}
Microsoft Office OneNote MUI (German) 2007-->MsiExec.exe /X{90120000-00A1-0407-0000-0000000FF1CE}
Microsoft Office Outlook MUI (German) 2007-->MsiExec.exe /X{90120000-001A-0407-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (German) 2007-->MsiExec.exe /X{90120000-0018-0407-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (German) 2007-->MsiExec.exe /X{90120000-001F-0407-0000-0000000FF1CE}
Microsoft Office Proof (Italian) 2007-->MsiExec.exe /X{90120000-001F-0410-0000-0000000FF1CE}
Microsoft Office Proofing (German) 2007-->MsiExec.exe /X{90120000-002C-0407-0000-0000000FF1CE}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0407-0000-0000000FF1CE} /uninstall {A0516415-ED61-419A-981D-93596DA74165}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0410-0000-0000000FF1CE} /uninstall {322296D4-1EAE-4030-9FBC-D2787EB25FA2}
Microsoft Office Publisher MUI (German) 2007-->MsiExec.exe /X{90120000-0019-0407-0000-0000000FF1CE}
Microsoft Office Shared MUI (German) 2007-->MsiExec.exe /X{90120000-006E-0407-0000-0000000FF1CE}
Microsoft Office Word MUI (German) 2007-->MsiExec.exe /X{90120000-001B-0407-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Works-->MsiExec.exe /I{39D0E034-1042-4905-BECB-5502909FCB7C}
mMHouse-->MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (3.6.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (3.0.4)-->C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
Mpeg Layer3 Codec FHG-Radium v1.263-->C:\Windows\UNWISE.EXE C:\PROGRA~1\audio\L3CODE~1\INSTALL.LOG
mPfMgr-->MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
mWMI-->MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
MyPhoneExplorer-->C:\Program Files\MyPhoneExplorer\uninstall.exe
NVIDIA Drivers-->C:\Windows\system32\NVUNINST.EXE UninstallGUI
OpenAL-->"C:\Program Files\OpenAL\MSI5DA9.tmp" /U /S
Opera 10.51-->MsiExec.exe /X{211FD4F6-43CF-41E6-8F6D-5FDF8D70B733}
OutlookAddinSetup-->MsiExec.exe /I{9BDEF074-020E-458D-ADC5-8FF68E0C9B56}
Paragon Drive Backup 8.51 Professional Trial-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D155D300-C235-44FC-981C-F7B34683439C}\Setup.exe" -l0x7
Paragon Partition Manager 9.0 Professional-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C887C75D-2636-41F6-BB7B-FD4B0314C1E1}\Setup.exe" -l0x7
PDF-Viewer-->"C:\Program Files\Tracker Software\PDF Viewer\unins000.exe"
PhotoFiltre-->"C:\Program Files\PhotoFiltre\Uninst.exe"
Pop Art Studio 4.5-->MsiExec.exe /I{A4172810-E834-4F5A-8CA2-647344E0C2DE}
Protector Suite QL 5.6-->MsiExec.exe /I{A2289997-10A3-48F2-AA03-99180D761661}
QuickSet-->MsiExec.exe /I{7F0C4457-8E64-491B-8D7B-991504365D1E}
QuickTime Alternative 2.6.0-->"C:\Program Files\QuickTime Alternative\unins000.exe"
Readiris Pro 10-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14D08502-FEE4-40E5-90D3-8A967A1D8BA2}\setup.exe" -l0x7
RedMon - Redirection Port Monitor-->C:\Windows\system32\unredmon.exe
ResearchSoft Direct Export Helper-->C:\PROGRA~1\COMMON~1\Risxtd\_UNINST.EXE
Roxio Creator Audio-->MsiExec.exe /I{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}
Roxio Creator Copy-->MsiExec.exe /I{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}
Roxio Creator Data-->MsiExec.exe /I{08E81ABD-79F7-49C2-881F-FD6CB0975693}
Roxio Creator DE-->C:\ProgramData\Uninstall\{09760D42-E223-42AD-8C3E-55B47D0DDAC3}\setup.exe /x {09760D42-E223-42AD-8C3E-55B47D0DDAC3}
Roxio Creator DE-->MsiExec.exe /I{ED439A64-F018-4DD4-8BA5-328D85AB09AB}
Roxio Creator Tools-->MsiExec.exe /I{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}
Roxio Express Labeler 3-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Samsung SCX-4500 Series-->C:\Program Files\Samsung\Samsung SCX-4500 Series\Install\Setup.exe /R
Sandboxie 3.40-->"C:\Windows\Installer\SandboxieInstall.exe" /remove
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB978380)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {667A88D1-0369-4070-A62A-70672D68A9BF}
Security Update for Microsoft Office Excel 2007 (KB978382)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6DE3DABF-0203-426B-B330-7287D1003E86}
Security Update for Microsoft Office Outlook 2007 (KB972363)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {120BE9A0-9B09-4855-9E0C-7DEE45CB03C0}
Security Update for Microsoft Office PowerPoint 2007 (KB957789)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {7559E742-FF9F-4FAE-B279-008ED296CB4D}
Security Update for Microsoft Office Publisher 2007 (KB980470)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {34573F17-DADE-4D0D-835F-A54A1DE8AC1F}
Security Update for Microsoft Office system 2007 (972581)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {3D019598-7B59-447A-80AE-815B703B84FF}
Security Update for Microsoft Office system 2007 (KB969613)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5ECEB317-CBE9-4E08-AB10-756CB6F0FB6C}
Security Update for Microsoft Office system 2007 (KB974234)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC}
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {71127777-8B2C-4F97-AF7A-6CF8CAC8224D}
Skype Toolbars-->MsiExec.exe /I{981029E0-7FC9-4CF3-AB39-6F133621921A}
Skype™ 4.2-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36}
SmarThru 4-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{90F1943D-EA4A-4460-B59F-30023F3BA69A}\Setup.exe" -l0x7 uninstall -l0007
SmartSound Quicktracks for Premiere Elements 8.0-->"C:\Program Files\InstallShield Installation Information\{4685A344-6718-4923-AA9D-158A0A2E1CFB}\setup.exe" -runfromtemp -l0x0409 -removeonly
SmartSound Quicktracks for Premiere Elements 8.0-->MsiExec.exe /I{4685A344-6718-4923-AA9D-158A0A2E1CFB}
Sony USB Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
SopCast 3.0.3-->C:\Program Files\SopCast\uninst.exe
Spelling Dictionaries Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
TouchChip USB Driver 2.6-->MsiExec.exe /I{8E7D7400-4F4F-409D-8F8A-43BF1DAC575A}
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for 2007 Microsoft Office System (KB981715)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {661B3F32-FFE4-4606-AE3A-DFA11DCC0D79}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Microsoft Office InfoPath 2007 (KB976416)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {432C5EE4-8096-4FF1-95E1-65219365DFF7}
Update for Microsoft Office OneNote 2007 (KB980729)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {329050A9-EF80-40F9-B633-74508F54C1FF}
Update for Microsoft Office Word 2007 (KB974561)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {0CDDBAA2-2111-4A0E-A1B0-76C40C635331}
Update for Outlook 2007 Junk Email Filter (kb981433)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5A6859A6-042D-4DF7-84E2-79F8DEFB5D48}
Update für Microsoft Office Excel 2007 Help (KB963678)-->msiexec /package {90120000-0016-0407-0000-0000000FF1CE} /uninstall {BEC163EC-7A83-48A1-BFB6-3BF47CC2F8CF}
Update für Microsoft Office Outlook 2007 Help (KB963677)-->msiexec /package {90120000-001A-0407-0000-0000000FF1CE} /uninstall {F6828576-6F79-470D-AB50-69D1BBADBD30}
Update für Microsoft Office Powerpoint 2007 Help (KB963669)-->msiexec /package {90120000-0018-0407-0000-0000000FF1CE} /uninstall {EA160DA3-E9B5-4D03-A518-21D306665B96}
Update für Microsoft Office Word 2007 Help (KB963665)-->msiexec /package {90120000-001B-0407-0000-0000000FF1CE} /uninstall {38472199-D7B6-4833-A949-10E4EE6365A1}
VC80CRTRedist - 8.0.50727.4053-->MsiExec.exe /I{5EE7D259-D137-4438-9A5F-42F432EC0421}
VLC media player 1.0.3-->C:\Program Files\VideoLAN\VLC\uninstall.exe
WIDCOMM Bluetooth Software 6.0.1.3100-->MsiExec.exe /X{A13E07E1-A423-44FB-9DEE-B24C75C1BAF2}
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Live Anmelde-Assistent-->MsiExec.exe /I{52B97218-98CB-4B8B-9283-D213C85E1AA4}
Windows Live Call-->MsiExec.exe /I{5FC68772-6D56-41C6-9DF1-24E868198AE6}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{91E04CA7-0B13-4F8C-AA4D-2A573AC96D19}
Windows Live Fotogalerie-->MsiExec.exe /X{119B7481-0216-40D2-A5CC-C3E1F461ECC1}
Windows Live Messenger-->MsiExec.exe /X{837B6259-6FF5-4E66-87C1-A5A15ED36FF4}
Windows Live Movie Maker-Betaversion-->MsiExec.exe /X{FE6E1AF6-6B88-44FE-8101-84AE6A52B393}
Windows Live Sync-->MsiExec.exe /X{ED636101-1959-4360-8BF7-209436E7DEE4}
Windows Live Writer-->MsiExec.exe /X{81821BF8-DA20-4F8C-AA87-F70A274828D4}
Windows Live-Uploadtool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Windows Mobile-Gerätecenter: Treiberupdate-->MsiExec.exe /X{E7044E25-3038-4A76-9064-344AC038043E}
Windows Mobile-Gerätecenter-->MsiExec.exe /X{904CCF62-818D-4675-BC76-D37EB399F917}
Wing Commander Saga Prologue-->MsiExec.exe /I{FA03C438-AA0B-409C-B90D-93C3CEB42859}
Xvid 1.1.3 final uninstall-->"C:\Program Files\Xvid\unins000.exe"
Zattoo 3.3.4 Beta-->C:\Program Files\Zattoo\uninst.exe
======Hosts File======
======Security center information======
AV: McAfee VirusScan
FW: McAfee Personal Firewall
AS: McAfee VirusScan
AS: Spybot - Search and Destroy (disabled) (outdated)
AS: Windows-Defender (disabled)
======System event log======
Computer Name: Notebook_Chris2
Event Code: 4376
Message: Windows-Wartung erforderte einen Neustart, um das Paket KB950126(Update) in den Status Installation angefordert(Install Requested) setzen zu können.
Record Number: 7513
Source Name: Microsoft-Windows-Servicing
Time Written: 20080617201910.000000-000
Event Type: Warnung
User: NT-AUTORITÄT\SYSTEM
Computer Name: Notebook_Chris2
Event Code: 4386
Message: Windows-Wartung erforderte einen Neustart, um das Update 950126-48_neutral_PACKAGE aus Paket KB950126(Update) in den Status Installation angefordert(Install Requested) setzen zu können.
Record Number: 7512
Source Name: Microsoft-Windows-Servicing
Time Written: 20080617201910.000000-000
Event Type: Warnung
User: NT-AUTORITÄT\SYSTEM
Computer Name: Notebook_Chris2
Event Code: 4386
Message: Windows-Wartung erforderte einen Neustart, um das Update 950126-47_neutral_PACKAGE aus Paket KB950126(Update) in den Status Installation angefordert(Install Requested) setzen zu können.
Record Number: 7511
Source Name: Microsoft-Windows-Servicing
Time Written: 20080617201910.000000-000
Event Type: Warnung
User: NT-AUTORITÄT\SYSTEM
Computer Name: Notebook_Chris2
Event Code: 4376
Message: Windows-Wartung erforderte einen Neustart, um das Paket KB950126(Update) in den Status Installation angefordert(Install Requested) setzen zu können.
Record Number: 7510
Source Name: Microsoft-Windows-Servicing
Time Written: 20080617201910.000000-000
Event Type: Warnung
User: NT-AUTORITÄT\SYSTEM
Computer Name: Notebook_Chris2
Event Code: 4376
Message: Windows-Wartung erforderte einen Neustart, um das Paket KB950126(Update) in den Status Bereitgestellt(Staged) setzen zu können.
Record Number: 7509
Source Name: Microsoft-Windows-Servicing
Time Written: 20080617201910.000000-000
Event Type: Warnung
User: NT-AUTORITÄT\SYSTEM
=====Application event log=====
Computer Name: Notebook_Chris2
Event Code: 223
Message: WinMail (1292) WindowsMail0: Sicherung von Protokolldateien (Bereich C:\Users\***\AppData\Local\Microsoft\Windows Mail\edb00001.log - C:\Users\***\AppData\Local\Microsoft\Windows Mail\edb00001.log) wird gestartet.
Record Number: 426
Source Name: ESENT
Time Written: 20080617155355.000000-000
Event Type: Informationen
User:
Computer Name: Notebook_Chris2
Event Code: 221
Message: WinMail (1292) WindowsMail0: Sicherung der Datei C:\Users\***\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore wird beendet.
Record Number: 425
Source Name: ESENT
Time Written: 20080617155355.000000-000
Event Type: Informationen
User:
Computer Name: Notebook_Chris2
Event Code: 220
Message: WinMail (1292) WindowsMail0: Sicherung der Datei C:\Users\***\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (Größe 2 Mb) beginnt.
Record Number: 424
Source Name: ESENT
Time Written: 20080617155355.000000-000
Event Type: Informationen
User:
Computer Name: Notebook_Chris2
Event Code: 210
Message: WinMail (1292) WindowsMail0: Eine vollständige Sicherung wird gestartet.
Record Number: 423
Source Name: ESENT
Time Written: 20080617155355.000000-000
Event Type: Informationen
User:
Computer Name: Notebook_Chris2
Event Code: 102
Message: WinMail (1292) WindowsMail0: Das Datenbankmodul (6.00.6000.0000) hat eine neue Instanz gestartet (0).
Record Number: 422
Source Name: ESENT
Time Written: 20080617155354.000000-000
Event Type: Informationen
User:
=====Security event log=====
Computer Name: Notebook_Chris2
Event Code: 4624
Message: Ein Konto wurde erfolgreich angemeldet.
Antragsteller:
Sicherheits-ID: S-1-0-0
Kontoname: -
Kontodomäne: -
Anmelde-ID: 0x0
Anmeldetyp: 3
Neue Anmeldung:
Sicherheits-ID: S-1-5-7
Kontoname: ANONYMOUS-ANMELDUNG
Kontodomäne: NT-AUTORITÄT
Anmelde-ID: 0xb7437b
Anmelde-GUID: {00000000-0000-0000-0000-000000000000}
Prozessinformationen:
Prozess-ID: 0x0
Prozessname: -
Netzwerkinformationen:
Arbeitsstationsname: PAM-NOTEBOOK
Quellnetzwerkadresse: 192.168.2.100
Quellport: 49159
Detaillierte Authentifizierungsinformationen:
Anmeldeprozess: NtLmSsp
Authentifizierungspaket: NTLM
Übertragene Dienste: -
Paketname (nur NTLM): NTLM V1
Schlüssellänge: 128
Dieses Ereignis wird beim Erstellen einer Anmeldesitzung generiert. Es wird auf dem Computer generiert, auf den zugegriffen wurde.
Die Antragstellerfelder geben das Konto auf dem lokalen System an, von dem die Anmeldung angefordert wurde. Dies ist meistens ein Dienst wie der Serverdienst oder ein lokaler Prozess wie "Winlogon.exe" oder "Services.exe".
Das Anmeldetypfeld gibt den jeweiligen Anmeldetyp an. Die häufigsten Typen sind 2 (interaktiv) und 3 (Netzwerk).
Die Felder für die neue Anmeldung geben das Konto an, für das die Anmeldung erstellt wurde, d. h. das angemeldete Konto.
Die Netzwerkfelder geben die Quelle einer Remoteanmeldeanforderung an. der Arbeitsstationsname ist nicht immer verfügbar und kann in manchen Fällen leer bleiben.
Die Felder für die Authentifizierungsinformationen enthalten detaillierte Informationen zu dieser speziellen Anmeldeanforderung.
- Die Anmelde-GUID ist ein eindeutiger Bezeichner, der verwendet werden kann, um dieses Ereignis mit einem KDC-Ereignis zu korrelieren.
- Die übertragenen Dienste geben an, welche Zwischendienste an der Anmeldeanforderung beteiligt waren.
- Der Paketname gibt das in den NTLM-Protokollen verwendete Unterprotokoll an.
- Die Schlüssellänge gibt die Länge des generierten Sitzungsschlüssels an. Wenn kein Sitzungsschlüssel angefordert wurde, ist dieser Wert 0.
Record Number: 20040
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081126204630.303000-000
Event Type: Überwachung erfolgreich
User:
Computer Name: Notebook_Chris2
Event Code: 4672
Message: Einer neuen Anmeldung wurden besondere Rechte zugewiesen.
Antragsteller:
Sicherheits-ID: S-1-5-18
Kontoname: SYSTEM
Kontodomäne: NT-AUTORITÄT
Anmelde-ID: 0x3e7
Berechtigungen: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 20039
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081126194326.957400-000
Event Type: Überwachung erfolgreich
User:
Computer Name: Notebook_Chris2
Event Code: 4624
Message: Ein Konto wurde erfolgreich angemeldet.
Antragsteller:
Sicherheits-ID: S-1-5-18
Kontoname: NOTEBOOK_CHRIS2$
Kontodomäne: MSHEIMNETZ
Anmelde-ID: 0x3e7
Anmeldetyp: 5
Neue Anmeldung:
Sicherheits-ID: S-1-5-18
Kontoname: SYSTEM
Kontodomäne: NT-AUTORITÄT
Anmelde-ID: 0x3e7
Anmelde-GUID: {00000000-0000-0000-0000-000000000000}
Prozessinformationen:
Prozess-ID: 0x278
Prozessname: C:\Windows\System32\services.exe
Netzwerkinformationen:
Arbeitsstationsname:
Quellnetzwerkadresse: -
Quellport: -
Detaillierte Authentifizierungsinformationen:
Anmeldeprozess: Advapi
Authentifizierungspaket: Negotiate
Übertragene Dienste: -
Paketname (nur NTLM): -
Schlüssellänge: 0
Dieses Ereignis wird beim Erstellen einer Anmeldesitzung generiert. Es wird auf dem Computer generiert, auf den zugegriffen wurde.
Die Antragstellerfelder geben das Konto auf dem lokalen System an, von dem die Anmeldung angefordert wurde. Dies ist meistens ein Dienst wie der Serverdienst oder ein lokaler Prozess wie "Winlogon.exe" oder "Services.exe".
Das Anmeldetypfeld gibt den jeweiligen Anmeldetyp an. Die häufigsten Typen sind 2 (interaktiv) und 3 (Netzwerk).
Die Felder für die neue Anmeldung geben das Konto an, für das die Anmeldung erstellt wurde, d. h. das angemeldete Konto.
Die Netzwerkfelder geben die Quelle einer Remoteanmeldeanforderung an. der Arbeitsstationsname ist nicht immer verfügbar und kann in manchen Fällen leer bleiben.
Die Felder für die Authentifizierungsinformationen enthalten detaillierte Informationen zu dieser speziellen Anmeldeanforderung.
- Die Anmelde-GUID ist ein eindeutiger Bezeichner, der verwendet werden kann, um dieses Ereignis mit einem KDC-Ereignis zu korrelieren.
- Die übertragenen Dienste geben an, welche Zwischendienste an der Anmeldeanforderung beteiligt waren.
- Der Paketname gibt das in den NTLM-Protokollen verwendete Unterprotokoll an.
- Die Schlüssellänge gibt die Länge des generierten Sitzungsschlüssels an. Wenn kein Sitzungsschlüssel angefordert wurde, ist dieser Wert 0.
Record Number: 20038
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081126194326.957400-000
Event Type: Überwachung erfolgreich
User:
Computer Name: Notebook_Chris2
Event Code: 4648
Message: Anmeldeversuch mit expliziten Anmeldeinformationen.
Antragsteller:
Sicherheits-ID: S-1-5-18
Kontoname: NOTEBOOK_CHRIS2$
Kontodomäne: MSHEIMNETZ
Anmelde-ID: 0x3e7
Anmelde-GUID: {00000000-0000-0000-0000-000000000000}
Konto, dessen Anmeldeinformationen verwendet wurden:
Kontoname: SYSTEM
Kontodomäne: NT-AUTORITÄT
Anmelde-GUID: {00000000-0000-0000-0000-000000000000}
Zielserver:
Zielservername: localhost
Weitere Informationen: localhost
Prozessinformationen:
Prozess-ID: 0x278
Prozessname: C:\Windows\System32\services.exe
Netzwerkinformationen:
Netzwerkadresse: -
Port: -
Dieses Ereignis wird bei einem Anmeldeversuch durch einen Prozess generiert, wenn ausdrücklich die Anmeldeinformationen des Kontos angegeben werden. Dies ist normalerweise der Fall in Batch-Konfigurationen, z. B. bei geplanten Aufgaben oder wenn der Befehl "runas" verwendet wird.
Record Number: 20037
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081126194326.957400-000
Event Type: Überwachung erfolgreich
User:
Computer Name: Notebook_Chris2
Event Code: 4672
Message: Einer neuen Anmeldung wurden besondere Rechte zugewiesen.
Antragsteller:
Sicherheits-ID: S-1-5-18
Kontoname: SYSTEM
Kontodomäne: NT-AUTORITÄT
Anmelde-ID: 0x3e7
Berechtigungen: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 20036
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081126194326.770200-000
Event Type: Überwachung erfolgreich
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\10.0\DLLShared\;C:\Program Files\Common Files\DivX Shared\;C:\Program Files\Common Files\Acronis\SnapAPI\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 23 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=1706
"NUMBER_OF_PROCESSORS"=2
"RoxioCentral"=C:\Program Files\Common Files\Roxio Shared\10.0\Roxio Central36\
-----------------EOF-----------------
3. GMER (Hinweis: ausgeführt im abgesicherten Modus, nachdem der Scan zunächst zu einem Bluescreen geführt hatte; Protokoll stammt von vor dem Einsatz der ersten beiden Tools) Code:
ATTFilter GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-04-28 04:53:16
Windows 6.0.6002 Service Pack 2
Running: 95bglcth.exe; Driver: C:\Users\CHRIST~1\AppData\Local\Temp\kwgoqfoc.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm228.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 tdrpm228.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 tdrpm228.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 tdrpm228.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 tdrpm228.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)
Device \FileSystem\fastfat \Fat 8FD3BA7A
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat tdrpm228.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe1dbf072
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe1dbf072@0012d1b1152b 0xAE 0xB9 0x39 0xED ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe1dbf072@001d28ded848 0x87 0x19 0x9E 0xA3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe1dbf072@0017e8456f38 0xA1 0xE9 0xE1 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe1dbf072@000e07b83f5a 0xF9 0x4B 0x75 0x32 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001fe1dbf072 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001fe1dbf072@0012d1b1152b 0xAE 0xB9 0x39 0xED ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001fe1dbf072@001d28ded848 0x87 0x19 0x9E 0xA3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001fe1dbf072@0017e8456f38 0xA1 0xE9 0xE1 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001fe1dbf072@000e07b83f5a 0xF9 0x4B 0x75 0x32 ...
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
---- EOF - GMER 1.0.15 ----
Welche zusätzlichen Tools kann / soll ich einsetzen, um weitere Diagnosen vorzunehmen bzw. die Infektion zu entfernen. Geändert von cP-mz (28.04.2010 um 06:30 Uhr) |
|
28.04.2010, 06:41
| #3 |
  | Infektion durch Exploit mit sdra64.exe Hi,
__________________Zeitpunkt ist wahrscheinlich mit der Infektion identisch... Malwarebytes Antimalware (MAM) Anleitung&Download hier: http://www.trojaner-board.de/51187-m...i-malware.html Falls der Download nicht klappt, bitte hierüber eine generische Version runterladen: http://filepony.de/download-chameleon/ Danach bitte update der Signaturdateien (Reiter "Update" -> Suche nach Aktualisierungen") Fullscan und alles bereinigen lassen! Log posten. OTL Lade Dir OTL von Oldtimer herunter (http://filepony.de/download-otl/) und speichere es auf Deinem Desktop
chris
__________________ |
|
28.04.2010, 07:30
| #4 |
| | Infektion durch Exploit mit sdra64.exe Hallo Chris, anbei die Logfiles von OTL. Diese habe ich eben erstellt. Alternativ habe ich auch noch welche von vor dem Einsatz von Malwarebytes' Anti-Malware - also von heute Nacht von kurz nach der Infektion. OTL - otl Code:
ATTFilter OTL logfile created on: 28.04.2010 08:01:34 - Run 2 OTL by OldTimer - Version 3.2.3.0 Folder = C:\Users\***\Desktop Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18904) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 64,00% Memory free 6,00 Gb Paging File | 5,00 Gb Available in Paging File | 83,00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 68,44 Gb Total Space | 6,30 Gb Free Space | 9,20% Space Free | Partition Type: NTFS Drive D: | 227,03 Gb Total Space | 32,23 Gb Free Space | 14,20% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: NOTEBOOK_CHRIS2 Current User Name: *** Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Users\***\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Programme\S.A.D\CyberGhost VPN\CGVPNCliService.exe (mobile concepts GmbH) PRC - C:\Programme\Copernic Desktop Search 2\DesktopSearchService.exe (Copernic Inc.) PRC - C:\Programme\Sandboxie\SbieSvc.exe (tzuk) PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH) PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH) PRC - C:\Programme\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.) PRC - C:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis) PRC - C:\Programme\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis) PRC - C:\Programme\Common Files\Acronis\Schedule2\schedul2.exe (Acronis) PRC - C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis) PRC - C:\Programme\Windows Sidebar\sidebar.exe (Microsoft Corporation) PRC - C:\Windows\explorer.exe (Microsoft Corporation) PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) PRC - C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation) PRC - C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation) PRC - C:\Programme\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.) PRC - C:\Windows\Samsung\PanelMgr\SSMMgr.exe () PRC - C:\Programme\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.) PRC - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.) PRC - C:\Programme\Windows Defender\MSASCui.exe (Microsoft Corporation) PRC - C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation) PRC - C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation) PRC - C:\Programme\Sigmatel\C-Major Audio\WDM\sttray.exe (IDT, Inc.) PRC - C:\Windows\System32\stacsv.exe (IDT, Inc.) PRC - C:\Windows\System32\AEstSrv.exe (Andrea Electronics Corporation) PRC - C:\Programme\Dell\MediaDirect\PCMService.exe (CyberLink Corp.) PRC - C:\Windows\OEM04Mon.exe (Creative Technology Ltd.) PRC - C:\Programme\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation) PRC - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation) PRC - C:\Programme\FreePDF_XP\fpassist.exe (shbox.de) PRC - C:\Programme\Protector Suite QL\upeksvr.exe (UPEK Inc.) PRC - C:\Programme\Protector Suite QL\psqltray.exe (UPEK Inc.) PRC - C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.) PRC - c:\Programme\WIDCOMM\Bluetooth Software\BTStackServer.exe (Broadcom Corporation.) ========== Modules (SafeList) ========== MOD - C:\Users\***\Desktop\OTL.exe (OldTimer Tools) MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll (Microsoft Corporation) ========== Win32 Services (SafeList) ========== SRV - (CGVPNCliSrvc) -- C:\Programme\S.A.D\CyberGhost VPN\CGVPNCliService.exe (mobile concepts GmbH) SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.) SRV - (SbieSvc) -- C:\Program Files\Sandboxie\SbieSvc.exe (tzuk) SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation) SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH) SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH) SRV - (AcrSch2Svc) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis) SRV - (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.) SRV - (SBSDWSCService) -- C:\Programme\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.) SRV - (GoToAssist) -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe (Citrix Online, a division of Citrix Systems, Inc.) SRV - (CVPND) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.) SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation) SRV - (STacSV) -- C:\Windows\System32\stacsv.exe (IDT, Inc.) SRV - (AESTFilters) -- C:\Windows\System32\AEstSrv.exe (Andrea Electronics Corporation) SRV - (EvtEng) Intel(R) -- C:\Programme\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation) SRV - (RegSrvc) Intel(R) -- C:\Programme\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation) SRV - (WcesComm) -- C:\Windows\WindowsMobile\wcescomm.dll (Microsoft Corporation) SRV - (RapiMgr) -- C:\Windows\WindowsMobile\rapimgr.dll (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV - (tap0901) -- C:\Windows\System32\drivers\tap0901.sys (The OpenVPN Project) DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH) DRV - (SbieDrv) -- C:\Programme\Sandboxie\SbieDrv.sys (tzuk) DRV - (tdrpman228) Acronis Try&Decide and Restore Points filter (build 228) -- C:\Windows\system32\DRIVERS\tdrpm228.sys (Acronis) DRV - (timounter) -- C:\Windows\system32\DRIVERS\timntr.sys (Acronis) DRV - (tifsfilter) -- C:\Windows\System32\drivers\tifsfilt.sys (Acronis) DRV - (snapman) -- C:\Windows\system32\DRIVERS\snapman.sys (Acronis) DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH) DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH) DRV - (usbaudio) USB-Audiotreiber (WDM) -- C:\Windows\System32\drivers\USBAUDIO.sys (Microsoft Corporation) DRV - (WINUSB) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation) DRV - (avgio) -- C:\Programme\Avira\AntiVir Desktop\avgio.sys (Avira GmbH) DRV - (TcUsb) -- C:\Windows\System32\drivers\tcusb.sys (UPEK Inc.) DRV - (VClone) -- C:\Windows\System32\drivers\VClone.sys (Elaborate Bytes AG) DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.) DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.) DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.) DRV - (CVPNDRVA) -- C:\Windows\System32\drivers\CVPNDRVA.sys (Cisco Systems, Inc.) DRV - (DNE) -- C:\Windows\System32\drivers\dne2000.sys (Deterministic Networks, Inc.) DRV - (hotcore3) -- C:\Windows\system32\drivers\hotcore3.sys (Paragon Software Group) DRV - (61883) -- C:\Windows\System32\drivers\61883.sys (Microsoft Corporation) DRV - (Avc) -- C:\Windows\System32\drivers\avc.sys (Microsoft Corporation) DRV - (MSDV) -- C:\Windows\System32\drivers\msdv.sys (Microsoft Corporation) DRV - (STHDA) -- C:\Windows\System32\drivers\stwrt.sys (IDT, Inc.) DRV - (OEM04Vid) -- C:\Windows\System32\drivers\OEM04Vid.sys (Creative Technology Ltd.) DRV - (OEM04Vfx) -- C:\Windows\System32\drivers\OEM04Vfx.sys (EyePower Games Pte. Ltd.) DRV - (Uim_IM) -- C:\Windows\System32\drivers\Uim_IM.sys (Paragon) DRV - (UimBus) -- C:\Windows\System32\drivers\UimBus.sys (Windows (R) 2000 DDK provider) DRV - (SynTP) -- C:\Windows\System32\drivers\SynTP.sys (Synaptics, Inc.) DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation) DRV - (NETw4v32) Intel(R) -- C:\Windows\System32\drivers\NETw4v32.sys (Intel Corporation) DRV - (b57nd60x) -- C:\Windows\System32\drivers\b57nd60x.sys (Broadcom Corporation) DRV - (iaStor) -- C:\Windows\system32\drivers\iastor.sys (Intel Corporation) DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC) DRV - (rimsptsk) -- C:\Windows\System32\drivers\rimsptsk.sys (REDC) DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC) DRV - (CVirtA) -- C:\Windows\System32\drivers\CVirtA.sys (Cisco Systems, Inc.) DRV - (SSPORT) -- C:\Windows\System32\drivers\SSPORT.SYS (Samsung Electronics) DRV - (DgiVecp) -- C:\Windows\System32\drivers\DGIVECP.SYS (Samsung Electronics Co., Ltd.) DRV - (btwaudio) -- C:\Windows\System32\drivers\btwaudio.sys (Broadcom Corporation.) DRV - (btwrchid) -- C:\Windows\System32\drivers\btwrchid.sys (Broadcom Corporation.) DRV - (btwavdt) -- C:\Windows\System32\drivers\btwavdt.sys (Broadcom Corporation.) DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation) DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.) DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex) DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.) DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.) DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation) DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.) DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.) DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd) DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation) DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.) DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.) DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation) DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation) DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH) DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems) DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation) DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.) DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.) DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic) DRV - (SiSRaid2) -- C:\Windows\system32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.) DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company) DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.) DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.) DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.) DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic) DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic) DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic) DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic) DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation) DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic) DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Logic Corporation) DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.) DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.) DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.) DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.) DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.) DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.) DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies) DRV - (R300) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.) DRV - (e1express) Intel(R) -- C:\Windows\System32\drivers\e1e6032.sys (Intel Corporation) DRV - (E1G60) Intel(R) -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation) DRV - (ECS_Loader_220) -- C:\Windows\System32\drivers\ECS_Loader_220.sys (WideView Technology Inc.) DRV - (BDA_Capture_220) -- C:\Windows\System32\drivers\BDA_Capture_220.sys (WideViewer Electronics CO., LTD) DRV - (sonypvs1) -- C:\Windows\System32\drivers\sonypvs1.sys (Sony Corporation) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/ig/dell?hl=de&client=dell-row&channel=de&ibd=2080614 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.order.1: "A9" FF - prefs.js..browser.search.order.10: "Wikipedia (DE)" FF - prefs.js..browser.search.order.13: "Wikipedia (DE)" FF - prefs.js..browser.search.order.2: "Google" FF - prefs.js..browser.search.order.3: "Yahoo" FF - prefs.js..browser.search.order.4: "Amazon.de" FF - prefs.js..browser.search.order.5: "IMDb" FF - prefs.js..browser.search.order.6: "eBay" FF - prefs.js..browser.search.order.7: "Flickr Tags" FF - prefs.js..browser.search.order.8: "Webster" FF - prefs.js..browser.search.order.9: "Leo Eng<->Ger" FF - prefs.js..browser.search.selectedEngine: "Google Deutschland" FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..browser.startup.homepage: "www.mainz-online.de" FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3 FF - prefs.js..extensions.enabledItems: brief@mozdev.org:1.2.5 FF - prefs.js..extensions.enabledItems: de-DE@dictionaries.addons.mozilla.org:2.0.1 FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.3 FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.2.1.21 FF - prefs.js..extensions.enabledItems: fdm_ffext@freedownloadmanager.org:1.3.2 FF - prefs.js..extensions.enabledItems: {6e84150a-d526-41f1-a480-a67d3fed910d}:1.4.5.1 FF - prefs.js..extensions.enabledItems: en-US@dictionaries.addons.mozilla.org:4.0.0 FF - prefs.js..extensions.enabledItems: {83D65D9A-9CCA-439B-9E4A-EC1FE481B443}:1.0.0.30 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20 FF - prefs.js..network.proxy.autoconfig_url: "hxxp://elib.tu-darmstadt.de/proxy.pac" FF - prefs.js..network.proxy.backup.ftp: "82.134.67.175" FF - prefs.js..network.proxy.backup.ftp_port: 8080 FF - prefs.js..network.proxy.backup.gopher: "82.134.67.175" FF - prefs.js..network.proxy.backup.gopher_port: 8080 FF - prefs.js..network.proxy.backup.socks: "82.134.67.175" FF - prefs.js..network.proxy.backup.socks_port: 8080 FF - prefs.js..network.proxy.backup.ssl: "82.134.67.175" FF - prefs.js..network.proxy.backup.ssl_port: 8080 FF - prefs.js..network.proxy.ftp: "213.97.169.197" FF - prefs.js..network.proxy.ftp_port: 80 FF - prefs.js..network.proxy.gopher: "213.97.169.197" FF - prefs.js..network.proxy.gopher_port: 80 FF - prefs.js..network.proxy.http_port: 80 FF - prefs.js..network.proxy.share_proxy_settings: true FF - prefs.js..network.proxy.socks: "213.97.169.197" FF - prefs.js..network.proxy.socks_port: 80 FF - prefs.js..network.proxy.ssl: "213.97.169.197" FF - prefs.js..network.proxy.ssl_port: 80 FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.04.02 15:35:29 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.04.26 11:57:38 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010.03.31 18:50:45 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2009.12.09 15:39:03 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\mozilla\Extensions [2009.12.09 15:39:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6} [2010.04.28 01:50:04 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\oj26yta0.default\extensions [2010.04.11 22:45:57 | 000,000,000 | ---D | M] (FlashGot) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\oj26yta0.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34} [2010.04.27 16:00:56 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\oj26yta0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010.01.26 02:46:56 | 000,000,000 | ---D | M] (IE View) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\oj26yta0.default\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d} [2010.04.17 09:41:51 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\oj26yta0.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2010.01.07 23:08:27 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\oj26yta0.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [2009.12.24 00:29:57 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\oj26yta0.default\extensions\brief@mozdev.org [2010.02.13 14:25:01 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\oj26yta0.default\extensions\de-DE@dictionaries.addons.mozilla.org [2008.06.17 18:08:28 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\oj26yta0.default\extensions\de-DE-comb@dictionaries.addons.mozilla.org [2009.10.04 04:30:37 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\oj26yta0.default\extensions\en-US@dictionaries.addons.mozilla.org [2010.04.27 00:18:21 | 000,001,243 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\FireFox\Profiles\oj26yta0.default\searchplugins\a9.xml [2009.06.02 22:26:04 | 000,002,164 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\FireFox\Profiles\oj26yta0.default\searchplugins\bing.xml [2010.04.27 00:18:21 | 000,002,125 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\FireFox\Profiles\oj26yta0.default\searchplugins\flickr-tags.xml [2008.05.27 12:40:12 | 000,002,170 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\FireFox\Profiles\oj26yta0.default\searchplugins\google-deutschland.xml [2008.06.24 23:18:30 | 000,000,908 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\FireFox\Profiles\oj26yta0.default\searchplugins\IMDb.xml [2008.06.03 15:31:42 | 000,001,097 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\FireFox\Profiles\oj26yta0.default\searchplugins\leo.xml [2008.06.24 23:18:30 | 000,000,681 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\FireFox\Profiles\oj26yta0.default\searchplugins\webster.xml [2007.02.16 06:50:16 | 000,001,068 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\FireFox\Profiles\oj26yta0.default\searchplugins\wikipedia-english.xml [2009.03.21 09:18:19 | 000,004,140 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\FireFox\Profiles\oj26yta0.default\searchplugins\youtube.xml [2010.04.26 11:57:40 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions [2010.03.29 03:10:50 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Programme\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1} [2010.04.26 11:57:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [2010.04.12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\npdeployJava1.dll [2009.12.30 12:05:44 | 000,164,120 | ---- | M] (Tracker Software Products Ltd.) -- C:\Programme\Mozilla Firefox\plugins\npPDFXCviewNPPlugin.dll [2010.01.14 00:46:00 | 000,063,488 | ---- | M] (Nullsoft, Inc.) -- C:\Programme\Mozilla Firefox\plugins\npwachk.dll [2010.01.24 01:06:26 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml [2010.01.24 01:06:26 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml [2010.01.24 01:06:26 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml [2010.01.24 01:06:26 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml [2010.01.24 01:06:26 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2009.11.17 03:53:23 | 000,000,806 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: ::1 localhost O1 - Hosts: 127.0.0.1 activate.adobe.com # manuell gesetzt für adobe prem O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Programme\AskBarDis\bar\bin\askBar.dll (Ask.com) O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation) O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.) O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Programme\Dell\BAE\BAE.dll (Dell Inc.) O2 - BHO: (FDMIECookiesBHO Class) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Programme\Free Download Manager\iefdm2.dll () O3 - HKLM\..\Toolbar: (Foxit Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Programme\AskBarDis\bar\bin\askBar.dll (Ask.com) O3 - HKLM\..\Toolbar: (Copernic Desktop Search - Home Toolbar) - {4A1C6093-14F9-44D7-860E-5D265CFCA9D9} - C:\Programme\Copernic Desktop Search 2\Toolbar\ToolbarContainer101000315.dll (Copernic Inc.) O3 - HKCU\..\Toolbar\WebBrowser: (Foxit Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Programme\AskBarDis\bar\bin\askBar.dll (Ask.com) O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis) O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.) O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( ) O4 - HKLM..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe (shbox.de) O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [NVHotkey] C:\Windows\System32\nvHotkey.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [OEM04Mon.exe] C:\Windows\OEM04Mon.exe (Creative Technology Ltd.) O4 - HKLM..\Run: [PCMService] C:\Program Files\Dell\MediaDirect\PCMService.exe (CyberLink Corp.) O4 - HKLM..\Run: [PSQLLauncher] C:\Program Files\Protector Suite QL\launcher.exe (UPEK Inc.) O4 - HKLM..\Run: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\SSMMgr.exe () O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Programme\Sigmatel\C-Major Audio\WDM\sttray.exe (IDT, Inc.) O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis) O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O4 - HKCU..\Run: [CAHeadless] C:\Programme\Adobe\Elements Organizer 8.0\CAHeadless\ElementsAutoAnalyzer.exe (Adobe Systems Incorporated) O4 - HKCU..\Run: [Copernic Desktop Search - Home] C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe (Copernic Inc.) O4 - HKCU..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation) O4 - Startup: C:\Users\***\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1 O8 - Extra context menu item: Bild an &Bluetooth-Gerät senden... - c:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm () O8 - Extra context menu item: Download all with Free Download Manager - C:\Program Files\Free Download Manager\dlall.htm () O8 - Extra context menu item: Download selected with Free Download Manager - C:\Program Files\Free Download Manager\dlselected.htm () O8 - Extra context menu item: Download video with Free Download Manager - C:\Program Files\Free Download Manager\dlfvideo.htm () O8 - Extra context menu item: Download with Free Download Manager - C:\Program Files\Free Download Manager\dllink.htm () O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O8 - Extra context menu item: Seite an &Bluetooth-Gerät senden... - c:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Java Plug-in 1.6.0) O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation) O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation) O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: GinaDLL - (vrlogon.dll) - C:\Windows\System32\vrlogon.dll (UPEK Inc.) O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll - C:\Programme\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.) O20 - Winlogon\Notify\psfus: DllName - C:\Windows\system32\psqlpwd.dll - C:\Windows\System32\psqlpwd.dll (UPEK Inc.) O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\XPS_NB_1280x864_Black.jpg O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\XPS_NB_1280x864_Black.jpg O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O33 - MountPoints2\{7cbef948-2320-11df-a91b-001fe1dbf072}\Shell\AutoRun\command - "" = F:\ZEUS-Start.exe -- File not found O33 - MountPoints2\{7cbef948-2320-11df-a91b-001fe1dbf072}\Shell\zeus\command - "" = F:\ZEUS-Start.exe -- File not found O33 - MountPoints2\{c8b362ce-d817-11de-ba84-001fe1dbf072}\Shell\AutoRun\command - "" = F:\Menu.exe -- File not found O34 - HKLM BootExecute: (autocheck autochk /p \??\Z:) - File not found O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010.04.28 07:55:58 | 000,563,712 | ---- | C] (OldTimer Tools) -- C:\Users\***\Desktop\OTL.exe [2010.04.28 05:15:06 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Roaming\Malwarebytes [2010.04.28 05:14:30 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2010.04.28 05:14:28 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2010.04.28 05:14:28 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware [2010.04.28 05:14:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2010.04.28 04:54:07 | 000,000,000 | ---D | C] -- C:\Logfiles [2010.04.28 01:12:18 | 000,000,000 | ---D | C] -- C:\Config.Msi [2010.04.28 01:00:42 | 000,000,000 | ---D | C] -- C:\Programme\CCleaner [2010.04.28 00:26:48 | 000,000,000 | ---D | C] -- C:\Programme\trend micro [2010.04.28 00:26:46 | 000,000,000 | ---D | C] -- C:\rsit [2010.04.27 23:05:51 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Roaming\70FBC48EA6E9A4545597A45CAE42A3FA [2010.04.27 23:05:48 | 000,000,000 | -HSD | C] -- C:\Users\***\AppData\Roaming\lowsec [2010.04.26 11:57:38 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll [2010.04.26 11:57:37 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe [2010.04.26 11:57:37 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe [2010.04.26 11:57:37 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe [2010.04.14 13:38:34 | 003,548,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe [2010.04.14 13:38:33 | 003,600,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe [2010.04.14 13:38:32 | 000,420,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll [2010.04.14 13:38:13 | 000,220,672 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\System32\l3codecp.acm [2010.04.14 13:38:13 | 000,062,464 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\System32\l3codeca.acm [2010.04.01 04:03:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun [2010.04.01 03:31:21 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll [2010.04.01 03:31:21 | 000,594,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll [2010.04.01 03:31:21 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll [2010.04.01 03:31:19 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl [2010.04.01 03:31:19 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll [2010.04.01 03:31:19 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll [2010.04.01 03:31:18 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe [2010.04.01 03:31:18 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe [2010.04.01 03:31:18 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll [2010.04.01 03:31:18 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll [2010.04.01 03:31:18 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll [2010.04.01 03:31:18 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe [2010.04.01 03:31:17 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb [2010.04.01 03:31:17 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll [2010.04.01 03:31:17 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll [1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ] [1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ] [1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010.04.28 08:01:01 | 004,980,736 | -HS- | M] () -- C:\Users\***\NTUSER.DAT [2010.04.28 08:00:43 | 000,001,052 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job [2010.04.28 07:58:41 | 000,261,143 | ---- | M] () -- C:\Users\***\AppData\Roaming\nvModes.001 [2010.04.28 07:58:16 | 000,001,092 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2010.04.28 07:58:08 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2010.04.28 07:58:08 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2010.04.28 07:58:08 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT [2010.04.28 07:58:04 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2010.04.28 07:57:59 | 3219,173,376 | -HS- | M] () -- C:\hiberfil.sys [2010.04.28 07:57:11 | 000,004,268 | ---- | M] () -- C:\Windows\bthservsdp.dat [2010.04.28 07:57:08 | 000,524,288 | -HS- | M] () -- C:\Users\***\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms [2010.04.28 07:57:08 | 000,065,536 | -HS- | M] () -- C:\Users\***\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf [2010.04.28 07:57:01 | 002,355,426 | -H-- | M] () -- C:\Users\***\AppData\Local\IconCache.db [2010.04.28 07:35:00 | 000,001,096 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2010.04.28 07:30:04 | 001,427,212 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI [2010.04.28 07:30:04 | 000,621,952 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2010.04.28 07:30:04 | 000,590,082 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2010.04.28 07:30:04 | 000,123,658 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2010.04.28 07:30:04 | 000,102,094 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2010.04.28 06:22:00 | 000,001,158 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3826523839-2789248197-4283208726-1000UA.job [2010.04.28 05:58:12 | 000,000,446 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{7FF4690D-8C45-4E55-AB6D-D51659463958}.job [2010.04.28 05:23:48 | 000,139,436 | ---- | M] () -- C:\Users\***\Desktop\Unbenannt 1.jpg [2010.04.28 05:14:33 | 000,000,820 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010.04.28 03:55:17 | 334,421,192 | ---- | M] () -- C:\Windows\MEMORY.DMP [2010.04.28 03:24:03 | 000,293,376 | ---- | M] () -- C:\Users\***\Desktop\95bglcth.exe [2010.04.28 03:23:57 | 000,133,632 | ---- | M] () -- C:\Users\***\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010.04.28 01:11:18 | 000,120,828 | ---- | M] () -- C:\Users\***\Documents\cc_20100428_011057.reg [2010.04.28 00:36:10 | 000,563,712 | ---- | M] (OldTimer Tools) -- C:\Users\***\Desktop\OTL.exe [2010.04.26 12:11:16 | 000,001,106 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3826523839-2789248197-4283208726-1000Core.job [2010.04.12 17:29:27 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe [2010.04.12 17:29:26 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe [2010.04.12 17:29:25 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe [2010.04.12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll [2010.04.08 00:15:41 | 000,013,455 | ---- | M] () -- C:\Users\***\.recently-used.xbel [2010.04.05 09:25:24 | 000,008,268 | ---- | M] () -- C:\Users\***\AppData\Local\d3d9caps.dat [2010.03.31 03:56:00 | 000,290,114 | ---- | M] () -- C:\Users\***\Desktop\SGB XI.pdf [2010.03.29 15:24:58 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2010.03.29 15:24:46 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ] [1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ] [1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ] ========== Files Created - No Company Name ========== [2010.04.28 05:23:46 | 000,139,436 | ---- | C] () -- C:\Users\***\Desktop\Unbenannt 1.jpg [2010.04.28 05:14:33 | 000,000,820 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010.04.28 04:57:52 | 3219,173,376 | -HS- | C] () -- C:\hiberfil.sys [2010.04.28 03:55:17 | 334,421,192 | ---- | C] () -- C:\Windows\MEMORY.DMP [2010.04.28 03:23:54 | 000,293,376 | ---- | C] () -- C:\Users\***\Desktop\95bglcth.exe [2010.04.28 01:11:02 | 000,120,828 | ---- | C] () -- C:\Users\***\Documents\cc_20100428_011057.reg [2010.04.14 00:38:07 | 000,011,694 | ---- | C] () -- C:\Users\***\Documents\Vollmacht Kaufvertrages.docx [2010.04.08 00:15:41 | 000,013,455 | ---- | C] () -- C:\Users\***\.recently-used.xbel [2010.03.31 03:55:59 | 000,290,114 | ---- | C] () -- C:\Users\***\Desktop\SGB XI.pdf [2009.10.26 03:44:50 | 000,270,336 | ---- | C] () -- C:\Windows\System32\SaMinDrv.dll [2009.10.26 03:44:50 | 000,106,496 | ---- | C] () -- C:\Windows\System32\SaImgFlt.dll [2009.10.26 03:44:50 | 000,090,112 | ---- | C] () -- C:\Windows\System32\SaSegFlt.dll [2009.10.26 03:44:50 | 000,061,440 | ---- | C] () -- C:\Windows\System32\SaErHdlr.dll [2009.09.23 14:40:53 | 000,172,032 | ---- | C] () -- C:\Windows\System32\SecSNMP.dll [2009.09.23 14:40:48 | 000,000,124 | ---- | C] () -- C:\Windows\Readiris.ini [2009.09.23 14:40:45 | 000,023,040 | ---- | C] () -- C:\Windows\System32\irisco32.dll [2009.09.23 14:37:59 | 000,217,088 | R--- | C] () -- C:\Windows\System32\ssminidriver.dll [2009.09.23 14:37:59 | 000,027,136 | R--- | C] () -- C:\Windows\System32\ssimgfilter.dll [2009.09.23 14:37:59 | 000,011,264 | R--- | C] () -- C:\Windows\System32\sssegfilter.dll [2009.09.23 14:37:59 | 000,010,752 | R--- | C] () -- C:\Windows\System32\sserrhandler.dll [2009.06.10 00:00:48 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll [2009.04.08 19:12:09 | 000,002,084 | ---- | C] () -- C:\Windows\Sandboxie.ini [2009.03.12 07:05:46 | 000,022,723 | ---- | C] () -- C:\Windows\System32\sx450sl3.dll [2009.01.19 13:35:27 | 000,015,873 | ---- | C] () -- C:\Windows\System32\Inetde.dll [2008.12.27 16:53:45 | 000,003,654 | ---- | C] () -- C:\Windows\System32\drivers\Sonyhcp.dll [2008.06.17 22:18:52 | 000,765,952 | ---- | C] () -- C:\Windows\System32\xvidcore.dll [2008.06.17 22:18:52 | 000,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll [2008.06.17 21:42:56 | 000,116,224 | ---- | C] () -- C:\Windows\System32\redmonnt.dll [2008.06.17 19:20:37 | 000,000,034 | ---- | C] () -- C:\Windows\cdplayer.ini [2008.06.17 18:55:13 | 000,011,568 | ---- | C] () -- C:\Windows\System32\drivers\UimFIO.sys [2008.06.17 18:54:48 | 004,244,744 | ---- | C] () -- C:\Windows\System32\qtp-mt334.dll [2008.06.17 18:54:48 | 000,247,560 | ---- | C] () -- C:\Windows\System32\prgiso.dll [2008.06.17 18:54:48 | 000,013,576 | ---- | C] () -- C:\Windows\System32\wnaspi32.dll [2008.06.14 05:28:05 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll [2008.06.14 05:28:01 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll [2008.04.17 09:08:56 | 000,197,408 | ---- | C] () -- C:\Windows\System32\vpnapi.dll [2007.07.25 17:40:02 | 000,999,424 | ---- | C] () -- C:\Windows\System32\WLIHVUI.dll [2006.11.03 18:25:56 | 000,389,120 | ---- | C] () -- C:\Windows\System32\btwhidcs.dll [2006.11.02 14:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll [2006.11.02 12:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll [2006.11.02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini [2001.11.14 13:56:00 | 001,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll ========== Alternate Data Streams ========== @Alternate Data Stream - 229 bytes -> C:\ProgramData\TEMP:8FF81EB0 < End of report > |
|
28.04.2010, 07:32
| #5 |
| | Infektion durch Exploit mit sdra64.exe OTL - extras Code:
ATTFilter OTL Extras logfile created on: 28.04.2010 08:01:34 - Run 2
OTL by OldTimer - Version 3.2.3.0 Folder = C:\Users\****\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 64,00% Memory free
6,00 Gb Paging File | 5,00 Gb Available in Paging File | 83,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 68,44 Gb Total Space | 6,30 Gb Free Space | 9,20% Space Free | Partition Type: NTFS
Drive D: | 227,03 Gb Total Space | 32,23 Gb Free Space | 14,20% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: NOTEBOOK_CHRIS2
Current User Name: ****
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{06C0492B-5BE7-4EBA-ABB2-F120036EDAE8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{0A251A99-C0F5-4671-82E8-21246591CD1E}" = lport=999 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |
"{0CFD7D6D-7BB5-4523-B279-6390D7E26C46}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{0EE07BBD-72A1-43D0-A2DC-1BC7FAEF5B70}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{100C5CB7-9BB6-43E4-A43C-A19E46FBD38D}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{141070D6-8619-4F5C-9418-6885E2E89322}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{1DE69745-DA9C-407A-B692-F7739D013CCF}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{1FE0ED84-0B60-4A78-8D83-7355EE6A27BF}" = lport=10243 | protocol=6 | dir=in | app=system |
"{21B8E7B4-3EB3-498E-BDD6-A85B6D9D62A6}" = lport=5721 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{248AA99C-FEF0-4CA9-B959-4B35CA3D3D22}" = lport=138 | protocol=17 | dir=in | app=system |
"{2BEE4950-1E80-4582-8B04-69FDDAD28FC9}" = rport=137 | protocol=17 | dir=out | app=system |
"{2F1162B2-C38F-4513-B638-8830734F1B47}" = lport=445 | protocol=6 | dir=in | app=system |
"{31421C8A-78B6-4CB7-8E7E-E6EBB659E922}" = lport=5678 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |
"{33B2253F-644E-4609-AD99-E11CEAE5EF41}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{35004F74-DB94-4F22-847B-C9EFCA5D95D7}" = lport=26675 | protocol=6 | dir=in | name=@%systemroot%\windowsmobile\wmdcbase.exe,-4006 |
"{38D0B0CF-6ED5-47E5-98C2-CB02761EE85C}" = lport=137 | protocol=17 | dir=in | app=system |
"{54680BA1-4CBE-487D-AC1C-F70E9AEC30BE}" = lport=139 | protocol=6 | dir=in | app=system |
"{58F1DE0B-9F96-48CE-9DED-7545571C222F}" = lport=26675 | protocol=6 | dir=in | name=@%systemroot%\windowsmobile\wmdcbase.exe,-4006 |
"{5AFB3E9B-A94E-420A-891D-C946B819A6B7}" = lport=5678 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |
"{600AC6A9-4E95-47AF-B068-4E5A09518FEC}" = lport=5721 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{630D36F3-35FB-4151-83F5-D4BF3D43B4E5}" = lport=999 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |
"{644FE174-736E-4381-A572-36134D82E480}" = lport=2869 | protocol=6 | dir=in | app=system |
"{6A71F7F7-43BB-430C-93F3-3FF43504FAA8}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{6BE2BCE1-FDD4-44DC-AF51-BB0AC05B3427}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{72C6773B-C84B-45F7-897F-8EE255E5D68D}" = lport=26675 | protocol=6 | dir=in | name=@%systemroot%\windowsmobile\wmdcbase.exe,-4006 |
"{7672638A-A54D-40A4-AF07-A6031D20B8B7}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{7AC15FDA-55B7-4E36-89AA-2C5694E24761}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{8865F8E2-7034-4554-8608-BBB774E5F1A4}" = lport=999 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |
"{8CFCD0AD-BFD8-44ED-BB16-2268D7696342}" = lport=999 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |
"{9EA04329-5944-4618-84F1-FF72493A7946}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{A3BEABAA-1CF8-4021-AA1F-13B0252BE7B3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{AEB0D980-7711-4A57-A761-0EAF41EC64AA}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{AF001C47-7A0A-4A60-939D-4E8C9FE00F5C}" = rport=10243 | protocol=6 | dir=out | app=system |
"{B7017CED-BBF1-4356-8876-EA373824AB1D}" = rport=445 | protocol=6 | dir=out | app=system |
"{BAD3268C-D2AD-4B29-9A32-9CBB1E7C65C2}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{CB8EEEA3-0C35-4FAF-9755-08864BEEF44A}" = lport=26675 | protocol=6 | dir=in | name=@%systemroot%\windowsmobile\wmdcbase.exe,-4006 |
"{D7EB34D0-E0EB-4E0D-B753-38D6736D4C78}" = lport=5678 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |
"{DA198CAA-6A09-439B-BEF3-5E049E3B5B15}" = rport=139 | protocol=6 | dir=out | app=system |
"{E4EBE335-6670-4113-95CB-F16878E9576D}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{EBD82C5C-9F1F-4B39-A9E9-40359D1215D1}" = lport=5721 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{EE409247-69F9-4A3F-B3C1-F9E452B1CED5}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{F10729A3-2B3E-4547-B4EE-F2C537B7D1D4}" = lport=2869 | protocol=6 | dir=in | app=system |
"{F5D65770-DECE-4B03-B920-135B2325E92E}" = lport=5678 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |
"{F79DA4F9-402C-4D85-A31E-A7BD2500390D}" = lport=5721 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{F94CA992-8C22-4989-BA39-C889402F1E4D}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{FF1E3F1B-AD4D-4F9D-AA20-E3CC35B4F887}" = rport=138 | protocol=17 | dir=out | app=system |
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{03E58C13-358A-4A6E-9B5D-76F0D93173C8}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{05789C22-C191-4AD6-9A9E-12A2049BA2E2}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{0E9615A7-AF66-4D1F-B37C-A87D8C538692}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{1024ADF2-2C8A-4539-96B8-D29E1AD3FEC5}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{1047C717-E542-41E0-B543-E8314B830BA0}" = protocol=6 | dir=out | app=system |
"{15C40D09-5CF5-4371-A49E-35C57C91170A}" = dir=in | app=c:\program files\dell\mediadirect\kernel\dms\clmsservice.exe |
"{1B70C12A-46B3-4218-B3FD-2876B7DD5440}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{22F7C616-FF3D-4BC5-AEDD-0BB5AF7046A7}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{24DDAEA9-CA85-4C07-9A26-8787567094DE}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
"{276F3736-651E-4D22-8778-B6CCE6E3B657}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{2CD0B84D-950A-454E-9F25-B6FEE7D3CD6B}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{33C9ED9A-FC65-4543-A803-A20EC99A8CB5}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{35E874D5-1CAC-4ADE-90F2-2CCAB6CDBEC0}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{37C0A45B-557A-438C-9993-1EC5557E0277}" = protocol=17 | dir=in | app=c:\program files\skype\plugin manager\skypepm.exe |
"{3BBF896D-4C01-4938-B74D-6A85A22E4E2E}" = dir=in | app=c:\program files\dell\mediadirect\pcmservice.exe |
"{3D7B297E-2BB3-42A8-9734-BE54528863D9}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{4AFD6CC5-9501-45CB-A86E-9DA80777B507}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{4D0E1152-3CD6-4770-B8BA-2F50502376B0}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{4E1E82CD-F75D-4413-85F1-59D8A6FA4CB7}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{4EAF86BC-64D4-46D3-A951-A396087282CF}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{5550DD08-F9C3-45A2-A424-1C8D96D28B23}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{59D50747-4057-4076-8E32-2C0BCB6839BF}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{5C467A4B-5F4E-4DB2-AA76-F799D05A9B4A}" = protocol=17 | dir=in | app=c:\program files\s.a.d\cyberghost vpn\cgstarter.exe |
"{5E8426F3-BEBC-4795-8019-E98B3EDDCF34}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{65333449-C304-4E0C-A1E1-37C9DD7DEA6B}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{6BA403B6-2202-4425-B95A-7F751AA52B7F}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{727BBE33-6815-4661-AE4C-9AA02CA113AD}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{72E7FCCD-3989-4E0C-8192-AC99B774EB38}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{7FFE056D-C81A-437C-874C-418B14D94B83}" = protocol=6 | dir=in | app=c:\program files\skype\plugin manager\skypepm.exe |
"{80A81531-0DF2-4A7A-8191-7CE88F399191}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{8315C67B-1F18-43FA-BFE6-E4D36959E913}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{86E16782-F480-4D07-A853-0FEBA8CBAB42}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{88CB9E4B-AC41-4D42-BFD0-9D77C0759A09}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{894E48F4-C252-42D7-A940-EC0690AAD08F}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |
"{8A7DF984-0CA8-4651-860F-2C360B764EBA}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{8AEBF526-D989-4735-93B6-80DCD568BA63}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{93E85AA7-CC31-461A-8247-460B08732804}" = protocol=6 | dir=in | app=c:\program files\skype\plugin manager\skypepm.exe |
"{9AA23571-E0DD-4DD3-ADE9-B7EF97EC3D7A}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{9B660A2C-5A19-4A6A-AF80-2F7ABBC660F7}" = protocol=6 | dir=in | app=c:\users\****\appdata\roaming\facebook\facebook.exe |
"{A147EE81-D43F-494C-B8A0-F20FAAD55A31}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{A2E16B12-B8F0-4069-9BDD-7A8C02B04F03}" = protocol=17 | dir=in | app=c:\users\****\appdata\roaming\facebook\facebook.exe |
"{A3C2F97B-197A-4F2F-84A1-2B8FC4E6C058}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{B108E134-9C60-4300-9A83-DF555A697E91}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{B1500F9A-E51D-43FE-AAE1-CCE2CC1CAA61}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{B4B53D1E-A005-4614-B592-5A56B0919413}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{BB8061C1-D733-4CE5-8D68-9E25BBC8814C}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{BD67B304-79D2-4D6E-B3CE-00FB109A33C3}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{BE67D782-03AC-4FEB-BFD2-AC37C1209F08}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{BF699328-D1D2-4452-9325-254561CB39E8}" = protocol=17 | dir=in | app=c:\program files\skype\plugin manager\skypepm.exe |
"{C401DE98-D627-4022-A95C-3720C51788BB}" = dir=in | app=c:\program files\dell\mediadirect\kernel\dmp\clbrowserengine.exe |
"{C4E5747F-733A-4C0B-A95F-A1EC5828B7FF}" = protocol=17 | dir=in | app=c:\users\****\appdata\roaming\facebook\facebook.exe |
"{C8F7992B-97F5-4B3A-86F2-2C0340516EA3}" = dir=in | app=c:\program files\dell\mediadirect\mediadirect.exe |
"{CAB833A3-BC36-4DA8-A3B2-CC8FB99E6F88}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{CC083FE7-FA31-4BFA-BEF7-92DEB8793E93}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{CD349E0E-782B-49E0-A73A-CC37FADF9D77}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{CF1CEB47-4D37-4094-A3F1-20EA3E61EE4B}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{D64C4E66-294C-4F28-9AC0-A8142C178795}" = protocol=6 | dir=in | app=c:\users\****\appdata\roaming\facebook\facebook.exe |
"{DA66369B-526F-4705-8CA9-E2D0FAFF68F3}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{DC81DA97-9E96-4885-AFE9-E88F4A7DC71A}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{DE4C9F69-16C2-46F7-AD1F-EFB961CEF882}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{E9719DFF-F95A-42A8-8D6D-712CCBA06967}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{EADCF746-2CE1-42B6-B4C3-DCD312358C3A}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{EB88936C-BF28-42A1-84B0-BDA400F29A77}" = protocol=6 | dir=in | app=c:\program files\s.a.d\cyberghost vpn\cgstarter.exe |
"{ED515EB3-32A5-43A8-B52F-2DFF8F4BC799}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{EEC6BAB6-4709-4B85-A92B-5E53CD01EB3D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{F44E435E-19E2-4982-95EE-24527DE9FA6E}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{F81C5C7E-37D4-4EAB-9EE8-F3B7F650D3B4}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{FDCB772E-07BF-403C-8F8B-FD1CE9874E4D}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"TCP Query User{02CF0E0E-1D75-46BC-BA50-F913EF9682A8}C:\program files\zattoo\zattood.exe" = protocol=6 | dir=in | app=c:\program files\zattoo\zattood.exe |
"TCP Query User{043AAFA3-D16B-4E0C-968E-1E629502C026}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
"TCP Query User{11720362-ACC0-4A97-9C72-D44111140972}C:\program files\java\jre6\bin\java.exe" = protocol=6 | dir=in | app=c:\program files\java\jre6\bin\java.exe |
"TCP Query User{216C86AB-DDBF-4D56-ABBB-69B3EDE26BD4}C:\program files\wing commander saga prologue\wcsaga.exe" = protocol=6 | dir=in | app=c:\program files\wing commander saga prologue\wcsaga.exe |
"TCP Query User{2D739544-9058-4B7E-A992-E7028DC2FD45}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{38E14E57-7D7F-4056-BC29-FF1EE65DCAA2}C:\program files\wing commander saga prologue\wcsaga.exe" = protocol=6 | dir=in | app=c:\program files\wing commander saga prologue\wcsaga.exe |
"TCP Query User{4FC5A655-6D92-46CC-BE82-48ACCFEE5CD0}C:\program files\java\jre6\launch4j-tmp\jdownloader.exe" = protocol=6 | dir=in | app=c:\program files\java\jre6\launch4j-tmp\jdownloader.exe |
"TCP Query User{50B7861C-4208-4EA3-9FD8-9B25CF3499A3}C:\program files\opera\opera.exe" = protocol=6 | dir=in | app=c:\program files\opera\opera.exe |
"TCP Query User{56B8F683-7F1C-4E2E-90B2-6160B58D1671}C:\program files\java\jre6\bin\java.exe" = protocol=6 | dir=in | app=c:\program files\java\jre6\bin\java.exe |
"TCP Query User{6135D34F-4BC9-4E14-A55E-66A4F8720450}C:\users\****\desktop\flashpen\portableapplications\vlcportable\app\vlc\vlc.exe" = protocol=6 | dir=in | app=c:\users\****\desktop\flashpen\portableapplications\vlcportable\app\vlc\vlc.exe |
"TCP Query User{6235DD7E-C160-4FF3-B457-757420BC7113}C:\program files\videolan\vlc\vlc.exe" = protocol=6 | dir=in | app=c:\program files\videolan\vlc\vlc.exe |
"TCP Query User{6EA38B36-30F3-403A-B4D0-7A4823C87285}C:\sandbox\****\defaultbox\user\current\appdata\roaming\facebook\facebook.exe" = protocol=6 | dir=in | app=c:\sandbox\****\defaultbox\user\current\appdata\roaming\facebook\facebook.exe |
"TCP Query User{74F69996-31D0-44AF-A286-6F1CE17EDFAD}C:\program files\java\jre6\launch4j-tmp\jdownloader.exe" = protocol=6 | dir=in | app=c:\program files\java\jre6\launch4j-tmp\jdownloader.exe |
"TCP Query User{7A3BFFA2-F462-4F31-9620-A54D6E380A9D}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"TCP Query User{801A2B89-5C57-4831-8EA2-FE81F157A88F}C:\program files\opera\opera.exe" = protocol=6 | dir=in | app=c:\program files\opera\opera.exe |
"TCP Query User{85A39C7B-D232-433E-8864-521C6AEFB4C5}C:\program files\zattoo\zattood.exe" = protocol=6 | dir=in | app=c:\program files\zattoo\zattood.exe |
"TCP Query User{96D87F07-5616-4398-BDC8-D7519E6FD77E}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
"TCP Query User{9ADDC4E0-C7D8-46B6-8FE7-CE53FBFB5BF1}C:\program files\java\jre6\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files\java\jre6\bin\javaw.exe |
"TCP Query User{9EEDB160-5083-4E3B-83E6-7042F90FCF27}F:\portableappz\operaportable\app\opera\opera.exe" = protocol=6 | dir=in | app=f:\portableappz\operaportable\app\opera\opera.exe |
"TCP Query User{C092C51E-A802-48FC-982B-BF855FADA37C}C:\windows\system32\java.exe" = protocol=6 | dir=in | app=c:\windows\system32\java.exe |
"TCP Query User{C84CEB1E-1AC2-44C5-81D6-51F26ED729A3}C:\program files\zattoo\zattoo.exe" = protocol=6 | dir=in | app=c:\program files\zattoo\zattoo.exe |
"TCP Query User{DCF88BB8-6D9A-4CA4-8F64-75A60FF36B8F}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"TCP Query User{E1258CE6-E0CC-4048-A048-6D8F32E94D9C}F:\portableappz\operaportable\app\opera\opera.exe" = protocol=6 | dir=in | app=f:\portableappz\operaportable\app\opera\opera.exe |
"TCP Query User{E65A7CBB-5D5D-4235-A190-68F35B50646B}C:\program files\java\jre6\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files\java\jre6\bin\javaw.exe |
"TCP Query User{EE41D882-5789-47E8-ABDC-59C738C43033}D:\temp\downloads\portable applications\mirandaimportable\mirandaportable\app\miranda\miranda32.exe" = protocol=6 | dir=in | app=d:\temp\downloads\portable applications\mirandaimportable\mirandaportable\app\miranda\miranda32.exe |
"TCP Query User{FE1CCE04-4172-4E6D-A3E1-8E7B45E4C25E}C:\program files\zattoo\zattoo.exe" = protocol=6 | dir=in | app=c:\program files\zattoo\zattoo.exe |
"UDP Query User{0920B93C-FA68-424A-9C25-22F80085DED6}C:\program files\java\jre6\launch4j-tmp\jdownloader.exe" = protocol=17 | dir=in | app=c:\program files\java\jre6\launch4j-tmp\jdownloader.exe |
"UDP Query User{0C9F1215-2F4C-42C2-87DC-9A9B05415CF1}C:\program files\opera\opera.exe" = protocol=17 | dir=in | app=c:\program files\opera\opera.exe |
"UDP Query User{1FAD6D45-FEAF-4B6A-8BA1-757703B9C0EE}C:\program files\zattoo\zattood.exe" = protocol=17 | dir=in | app=c:\program files\zattoo\zattood.exe |
"UDP Query User{250A3B71-13FB-4ECD-AD06-ECF651D93BA1}C:\program files\java\jre6\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files\java\jre6\bin\javaw.exe |
"UDP Query User{294E755B-588A-4F88-882C-2C9FF810C3BD}C:\program files\java\jre6\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files\java\jre6\bin\javaw.exe |
"UDP Query User{4033B113-7757-42A1-8C27-0EF2DE20755A}C:\program files\videolan\vlc\vlc.exe" = protocol=17 | dir=in | app=c:\program files\videolan\vlc\vlc.exe |
"UDP Query User{42F38BAB-78B5-4207-A73B-CB87799FA293}C:\program files\wing commander saga prologue\wcsaga.exe" = protocol=17 | dir=in | app=c:\program files\wing commander saga prologue\wcsaga.exe |
"UDP Query User{46FFEB55-B6C9-453F-AC10-C93EF8B862F7}C:\program files\opera\opera.exe" = protocol=17 | dir=in | app=c:\program files\opera\opera.exe |
"UDP Query User{4813D1AD-C881-45F5-877F-24048C7606E1}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |
"UDP Query User{4E53D91B-0CC9-42A2-96D1-740E617627A1}C:\windows\system32\java.exe" = protocol=17 | dir=in | app=c:\windows\system32\java.exe |
"UDP Query User{57E68D03-5CB7-4A06-8EF0-2DC4CA113E89}F:\portableappz\operaportable\app\opera\opera.exe" = protocol=17 | dir=in | app=f:\portableappz\operaportable\app\opera\opera.exe |
"UDP Query User{5EF2967D-4B9D-49EE-A018-F86DA4A03A64}D:\temp\downloads\portable applications\mirandaimportable\mirandaportable\app\miranda\miranda32.exe" = protocol=17 | dir=in | app=d:\temp\downloads\portable applications\mirandaimportable\mirandaportable\app\miranda\miranda32.exe |
"UDP Query User{66B7418D-CC06-4357-8CB8-A10B8173B93A}C:\program files\java\jre6\bin\java.exe" = protocol=17 | dir=in | app=c:\program files\java\jre6\bin\java.exe |
"UDP Query User{684377E6-43DB-4389-BD47-2A19756DE4D4}C:\program files\zattoo\zattood.exe" = protocol=17 | dir=in | app=c:\program files\zattoo\zattood.exe |
"UDP Query User{6AB1501F-BF1C-471A-B0C4-4A5D82428786}F:\portableappz\operaportable\app\opera\opera.exe" = protocol=17 | dir=in | app=f:\portableappz\operaportable\app\opera\opera.exe |
"UDP Query User{781FD47A-AAF0-49DE-B16A-D67A40ED5027}C:\sandbox\****\defaultbox\user\current\appdata\roaming\facebook\facebook.exe" = protocol=17 | dir=in | app=c:\sandbox\****\defaultbox\user\current\appdata\roaming\facebook\facebook.exe |
"UDP Query User{7C3785A0-BDA4-408F-B35A-D4D830FAC098}C:\program files\java\jre6\bin\java.exe" = protocol=17 | dir=in | app=c:\program files\java\jre6\bin\java.exe |
"UDP Query User{8A3C33EB-21FC-4439-90F7-3E55D2EC2375}C:\program files\zattoo\zattoo.exe" = protocol=17 | dir=in | app=c:\program files\zattoo\zattoo.exe |
"UDP Query User{8B7861C0-2BDD-4CE1-AD71-B353AF8199E3}C:\program files\wing commander saga prologue\wcsaga.exe" = protocol=17 | dir=in | app=c:\program files\wing commander saga prologue\wcsaga.exe |
"UDP Query User{A74B7A64-4344-46B4-A379-0204925A195F}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{B7C32E15-73BC-4795-A3DE-593E7086812A}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |
"UDP Query User{C7F9D5EC-601F-4F5E-B11D-9A087561600A}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"UDP Query User{D46FB7C6-6AD8-4355-A74D-5CCA6CB9F006}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"UDP Query User{F6B8013B-7003-4672-A159-EB4E3790FEA7}C:\program files\java\jre6\launch4j-tmp\jdownloader.exe" = protocol=17 | dir=in | app=c:\program files\java\jre6\launch4j-tmp\jdownloader.exe |
"UDP Query User{F75E1C89-72AF-46E1-9509-474B4BB5FFED}C:\program files\zattoo\zattoo.exe" = protocol=17 | dir=in | app=c:\program files\zattoo\zattoo.exe |
"UDP Query User{FC420FD9-F740-4AF9-9207-184D6E4301A7}C:\users\****\desktop\flashpen\portableapplications\vlcportable\app\vlc\vlc.exe" = protocol=17 | dir=in | app=c:\users\****\desktop\flashpen\portableapplications\vlcportable\app\vlc\vlc.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{04830D0F-F980-4EC0-89F1-594F2FD2A1B5}" = ElsterFormular 2008/2009
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
"{09760D42-E223-42AD-8C3E-55B47D0DDAC3}" = Roxio Creator DE
"{119B7481-0216-40D2-A5CC-C3E1F461ECC1}" = Windows Live Fotogalerie
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{14D08502-FEE4-40E5-90D3-8A967A1D8BA2}" = Readiris Pro 10
"{17C4A35A-2041-42C0-8D10-DEF55B47BE56}" = Adobe Premiere Elements 8.0 Templates
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1D5E29AD-39A9-4D0A-A8B6-46A6FCD8C995}" = Live! Cam Avatar
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool
"{211FD4F6-43CF-41E6-8F6D-5FDF8D70B733}" = Opera 10.51
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 20
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java(TM) SE Runtime Environment 6
"{39D0E034-1042-4905-BECB-5502909FCB7C}" = Microsoft Works
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{4685A344-6718-4923-AA9D-158A0A2E1CFB}" = SmartSound Quicktracks for Premiere Elements 8.0
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4C271126-C295-4828-A901-5910AE0C258B}" = Cisco Systems VPN Client 5.0.03.0530
"{52B97218-98CB-4B8B-9283-D213C85E1AA4}" = Windows Live Anmelde-Assistent
"{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}" = Sony USB Driver
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{5FC68772-6D56-41C6-9DF1-24E868198AE6}" = Windows Live Call
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{63DB9CCD-2B56-4217-9A3D-507AC78320CA}" = mWMI
"{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}" = Live! Cam Avatar Creator
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6B7B6D4D-8F9B-4CB3-8CA4-BCA9CC4C1A22}" = EDocs
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{78E804CC-A148-4C8F-AD46-0B476EFE34C2}" = Microsoft Image Composite Editor
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7F0C4457-8E64-491B-8D7B-991504365D1E}" = QuickSet
"{81821BF8-DA20-4F8C-AA87-F70A274828D4}" = Windows Live Writer
"{837B6259-6FF5-4E66-87C1-A5A15ED36FF4}" = Windows Live Messenger
"{86B3F2D6-AC2B-4E88-8AE1-F2F77F781B0C}" = EndNote X3
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8C6BB412-D3A8-4AAE-A01B-35B681789D68}" = mHelp
"{8D273DE5-ABFA-4BD0-A9D7-EE9C971438C4}_is1" = PDF-Viewer
"{8E7D7400-4F4F-409D-8F8A-43BF1DAC575A}" = TouchChip USB Driver 2.6
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007
"{90120000-0015-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2007
"{90120000-0019-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007
"{90120000-001A-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_ENTERPRISE_{A0516415-ED61-419A-981D-93596DA74165}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_ENTERPRISE_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0407-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2007
"{90120000-0044-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_ENTERPRISE_{26454C26-D259-4543-AA60-3189E09C5F76}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
"{90120000-00A1-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00B2-0407-0000-0000000FF1CE}" = Microsoft – Speichern als PDF oder XPS – Add-In für 2007 Microsoft Office-Programme
"{90120000-00BA-0407-0000-0000000FF1CE}" = Microsoft Office Groove MUI (German) 2007
"{90120000-00BA-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{904CCF62-818D-4675-BC76-D37EB399F917}" = Windows Mobile-Gerätecenter
"{90F1943D-EA4A-4460-B59F-30023F3BA69A}" = SmarThru 4
"{91E04CA7-0B13-4F8C-AA4D-2A573AC96D19}" = Windows Live Essentials
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BDEF074-020E-458D-ADC5-8FF68E0C9B56}" = OutlookAddinSetup
"{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}" = MediaDirect
"{A0E583D1-23F7-4C35-9620-B169D7715E4B}" = Adobe Premiere Elements 8.0
"{A13E07E1-A423-44FB-9DEE-B24C75C1BAF2}" = WIDCOMM Bluetooth Software 6.0.1.3100
"{A2289997-10A3-48F2-AA03-99180D761661}" = Protector Suite QL 5.6
"{A4172810-E834-4F5A-8CA2-647344E0C2DE}" = Pop Art Studio 4.5
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-2448-0000-800000000003}" = Chinese Traditional Fonts Support For Adobe Reader 8
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B480BD2A-F1BA-4FE6-8C8E-34C6111B72C9}" = ElsterFormular 2007/2008
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{C887C75D-2636-41F6-BB7B-FD4B0314C1E1}" = Paragon Partition Manager 9.0 Professional
"{C8D25596-7DD3-40EA-987A-4DA8BE5D65E5}" = Adobe Premiere Elements Updater 3.0.2
"{C99C0593-3B48-41D9-B42F-6E035B320449}" = Broadcom Management Programs
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D155D300-C235-44FC-981C-F7B34683439C}" = Paragon Drive Backup 8.51 Professional Trial
"{D1E0E859-F46D-4708-A41D-ED90C0C1822A}" = Acronis True Image Home
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{E7044E25-3038-4A76-9064-344AC038043E}" = Windows Mobile-Gerätecenter: Treiberupdate
"{E7683570-6FD5-4E58-A3B8-719C5B1AE295}" = Application Suite
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator DE
"{ED636101-1959-4360-8BF7-209436E7DEE4}" = Windows Live Sync
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F5D7FAB5-A1FD-4DD3-983E-4155B09D7102}" = mCore
"{FA03C438-AA0B-409C-B90D-93C3CEB42859}" = Wing Commander Saga Prologue
"{FD023F61-65E9-465C-B558-7C64EB2B97E6}" = Dell Handbuch zum Einstieg
"{FE6E1AF6-6B88-44FE-8101-84AE6A52B393}" = Windows Live Movie Maker-Betaversion
"7-Zip" = 7-Zip 4.57
"AC3Filter" = AC3Filter (remove only)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"Advanced Video FX Engine" = Advanced Video FX Engine
"AFPL Ghostscript 8.54" = AFPL Ghostscript 8.54
"AFPL Ghostscript Fonts" = AFPL Ghostscript Fonts
"Ask Toolbar_is1" = Foxit Toolbar
"Audiograbber" = Audiograbber 1.83 SE
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Biet-O-Matic v2.10.0a" = Biet-O-Matic v2.10.0a
"CCleaner" = CCleaner
"Copernic Agent Personal" = Copernic Agent Personal
"CopernicDesktopSearch2" = Copernic Desktop Search - Home
"Creative OEM004" = Laptop Integrated Webcam Driver (1.03.01.1011)
"CyberGhost VPN_is1" = CyberGhost VPN Patch 4.5.17
"Dell Webcam Center" = Dell Webcam Center
"Dell Webcam Manager" = Dell Webcam Manager
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Foxit Reader" = Foxit Reader
"Free Download Manager_is1" = Free Download Manager 2.5
"FreeCommander_is1" = FreeCommander 2008.06
"FreePDF_XP" = FreePDF XP (Remove only)
"Google Updater" = Google Updater
"GoToAssist" = GoToAssist 8.0.0.514
"HijackThis" = HijackThis 2.0.2
"InstallShield_{4685A344-6718-4923-AA9D-158A0A2E1CFB}" = SmartSound Quicktracks for Premiere Elements 8.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"Mozilla Thunderbird (3.0.4)" = Mozilla Thunderbird (3.0.4)
"Mp3 Codec" = Mpeg Layer3 Codec FHG-Radium v1.263
"MPE" = MyPhoneExplorer
"NVIDIA Drivers" = NVIDIA Drivers
"OpenAL" = OpenAL
"PhotoFiltre" = PhotoFiltre
"PremElem80" = Adobe Premiere Elements 8.0
"PremElem80Templates" = Adobe Premiere Elements 8.0 Templates
"ProInst" = Intel(R) PROSet/Wireless Software
"QuicktimeAlt_is1" = QuickTime Alternative 2.6.0
"Redirection Port Monitor" = RedMon - Redirection Port Monitor
"ResearchSoft Direct Export Helper" = ResearchSoft Direct Export Helper
"Samsung SCX-4500 Series" = Samsung SCX-4500 Series
"Sandboxie" = Sandboxie 3.40
"SynTPDeinstKey" = Dell Touchpad
"VLC media player" = VLC media player 1.0.3
"Winamp" = Winamp
"WinGimp-2.0_is1" = Gimp 2.6.0
"WinLiveSuite_Wave3" = Windows Live Essentials
"Xvid_is1" = Xvid 1.1.3 final uninstall
"Zattoo" = Zattoo 3.3.4 Beta
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"sc09-ORF_MAIN" = ORF-Ski Challenge 2009
"Winamp Detect" = Winamp Erkennungs-Plug-in
========== Last 10 Event Log Errors ==========
Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!
< End of report >
Geändert von cP-mz (28.04.2010 um 07:40 Uhr) |
|
28.04.2010, 08:02
| #6 |
| | Infektion durch Exploit mit sdra64.exe Hi, das sieht soweit gut aus, askbar ist noch drauf...
Code:
ATTFilter :OTL
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Programme\AskBarDis\bar\bin\askBar.dll (Ask.com)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Foxit Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Programme\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKCU\..\Toolbar\WebBrowser: (Foxit Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Programme\AskBarDis\bar\bin\askBar.dll (Ask.com)
[2010.04.27 23:05:51 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Roaming\70FBC48EA6E9A4545597A45CAE42A3FA
[2010.04.27 23:05:48 | 000,000,000 | -HSD | C] -- C:\Users\***\AppData\Roaming\lowsec
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = dword:0x00
:Commands
[emptytemp]
[Reboot]
Avira: Stelle Avira wie folgt ein: http://www.trojaner-board.de/54192-a...tellungen.html Führe einen Systemscan durch und poste das Ergebnis! Poste auch noch das ursprüngliche MAM-Log.... chris
__________________ --> Infektion durch Exploit mit sdra64.exe |
|
29.04.2010, 15:49
| #7 |
| | Infektion durch Exploit mit sdra64.exe hallo, der virus macht wirklich ernst...also sei sehr vorsichtig und sei dir sehr sicher das er nicht mehr bei dir auf dem rechner ist! https://sicherheit.sparkasse-allgaeu.de/anzeigen.php?tpl=privatkunden/konten_karten/sicherheit/warnmeldungen.html gruss p |
|
29.04.2010, 16:21
| #8 |
| | Infektion durch Exploit mit sdra64.exe Danke pruggy, ich habe mir eine Linux Live CD heruntergeladen und damit zur Sicherheit erstmal alle Passwörter geändert. Online Banking werde ich in der nächsten Zeit auch nur noch auf diesem Wege machen... Die in dem Artikel angesprochenen Verzeichnisse sind bei mir nun definitiv weg. Die Dateien - %System%\lowsec\user.ds und - %System%\lowsec\local.ds (kodierte Konfigurationsdaten) hatte ich gar nicht. Entweder hatte ich es also mit einer abgewandelten Form zu tun (die ihre Konfigurationsdateien woanders speichert) oder der Schädling konnte sich nicht komplett auf dem System installieren, weil sofort Antivir anging. Interessant wäre es zu wissen, ob bei einer noch vorhandenen Infektion die angesprochenen Dateien und Verzeichnisse immer wieder neu angelegt werden? Kann das jemand einschätzen? Viele Grüße, Christian |
|
29.04.2010, 16:28
| #9 |
| | Infektion durch Exploit mit sdra64.exe hallo christian, sehr gerne. momentan lasse ich den virus aus beweisgründen noch so wie er ist auf dem rechner. da wir allerdings ziemlich geschädigt wurden werde ich auch gar nicht erst den versuch machen diesen virus nur zu löschen sndern das ganze system neu aufsetzen. deine berechtite frage beantwortet das zwar nicht, aber evtl. verdeutlicht es nochmal dass dieser virus wirklich schaden auf dem bankkonto anrichtet. alles gute |
|
29.04.2010, 16:57
| #10 |
| | Infektion durch Exploit mit sdra64.exe Das tut mir leid... sowas ist echt übel... Kannst Du nachvollziehen, wie es zur Infektion kam und wie lange der Virus unentdeckt auf Deinem System war? Ich hoffe, die Banken zeigen sich Euch gegenüber kooperativ. Denn letztendlich ist ja auch i-Tan keine sichere Lösung und wenn die Banken es gemeinsam wollten, könnte man sicherlich eine bessere Lösung einführen. Aber auch Hardware-Token, die eine Tan für jede Transaktion generieren, sind nicht 100% sicher, denn sobald sie eingibst kann sie vom Virus mitgelesen werden und dann innerhalb einer gewissen Zeit für eine eigene Tranksaktion missbraucht werden. So bleiben eigentlich nur Signaturkarten, die vielen aber wohl zu kompliziert sind. Ich selbst habe ein Lesegerät, aber keine Karte von der Bank... So ist es mit der Sicherheit und der Bequemlichkeit... ich habe meine Vorsicht nach dem Vorfall aber auch dramatisch erhöht.... am meisten Angst habe ich übrigens, dass Kreditkarteninformationen mitgelesen wurden, denn da gibt es ja wirklich keinerlei Sicherheitsmaßnahmen (wenn die Infektion sich aber zeitlich so abgespielt hat, wie ich vermute, dann habe ich in dieser Zeit keine Transaktionen vorgenommen). |
|
29.04.2010, 18:01
| #11 |
| | Infektion durch Exploit mit sdra64.exe ich weiss es noch nicht ganz genau. die transaktion war vom 21.04.wir werden uns morgen früh hinsetzen und versuchen die sache zu klären - denn angeblich wurde bei der trransaktion nicht nach der handynummer gefragt...wenn ich mehr weiss werde ich es hier posten. bzgl. der kreditkarte kann ich dich evtl. in sofern beruhigen als das die firmen ein profil von deinen einkaufgewohnheiten haben. sollte es ungewöhnlich transaktionen geben wird das gemeldet und du bekommst eine benachrichtigung -per post-... ;-) ich wünsch dir jedenfalls dass alles gut läuft... |
|
| Themen zu Infektion durch Exploit mit sdra64.exe |
| 32 bit, adobe, antivir, antivir guard, askbar, avg, avgntflt.sys, avira, backdoor, bho, browser, cyberghost, defender, desktop, diagnostics, error, firefox, fontcache, frage, free download, gupdate, hijack, hijackthis, home, home premium, local\temp, logfile, malwarebytes' anti-malware, mozilla, notepad.exe, notification, nvlddmkm.sys, plug-in, popup-fenster, programdata, registry, rootkit, rundll, safer networking, sdra64.exe, security, skype.exe, software, start menu, svchost.exe, system, temp, trojan.downloader, trojaner, vista 32, vista 32 bit, wscript.exe |
Hybrid-Darstellung
