Der Sparkassen RAT

Bash · 23.03.2011, 16:44

Hallo,

auch ich gehöre zu den Opfern des Sparkassen Phishing tools -_- Heute habe ich bemerkt, dass nach dem einloggen eine Abfrage der "itans" statt fand. Also habe ich angerufen und es ist offensichtlich ein Trojaner.

Ich hab mich daraufhin hier durchgelesen. Offensichtlich nennt man den Schädling "spyeye" ?

Ich habe einen vollen Systemscan mit AntiVir durchführen lassen. Der hat einiges gefunden und gelöscht. Außerdem im Systemstart -"msconfig" eine "hjashdjw.exe" enfernt, den passenden Registry Eintrag und natürlich die Datei selbst.

Spybot S&D hat auch ein paar Einträge gefunden (Windows Sec Center) und einen Trojaner.
Spybot ist wd deinstalliert und neugestartet.

Hijackthis Log hat nichts auffälliges gezeigt

Jetzt habe ich einen OTL scan durchführen lassen. Hier die LogOTL Logfile:

Code:

ATTFilter

OTL logfile created on: 23.03.2011 16:17:34 - Run 1
OTL by OldTimer - Version 3.2.22.3     Folder = C:\Users\FrankHE\Downloads
 An unknown product  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 45,00% Memory free
4,00 Gb Paging File | 2,00 Gb Available in Paging File | 61,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232,88 Gb Total Space | 24,12 Gb Free Space | 10,36% Space Free | Partition Type: NTFS
Unable to calculate disk information.
 
Computer Name: FRANKHE-PC | User Name: FrankHE | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\FrankHE\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Programme\Hobbyist Software\Off-Helper\Off-Helper Service.exe (Microsoft)
PRC - C:\Programme\Hobbyist Software\Off-Helper\Off-Helper Configuration.exe (Microsoft)
PRC - C:\Programme\Trillian\trillian.exe (Cerulean Studios)
PRC - C:\Programme\Sandboxie\SbieSvc.exe (tzuk)
PRC - C:\Programme\TeamViewer\Version5\TeamViewer_Service.exe (TeamViewer GmbH)
PRC - C:\Programme\DynDNS Updater\DynUpSvc.exe (Dynamic Network Services, Inc.)
PRC - C:\Programme\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
PRC - C:\Programme\Nero\Update\NASvc.exe (Nero AG)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Programme\Common Files\logishrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.)
PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - C:\Programme\Windows Sidebar\sidebar.exe (Microsoft Corporation)
PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Programme\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe (Vodafone)
PRC - C:\Programme\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
PRC - C:\Programme\Common Files\EPSON\eEBAPI\eEBSvc.exe (SEIKO EPSON CORPORATION)
 
 
========== Modules (SafeList) ==========
 
MOD - C:\Users\FrankHE\Downloads\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll (Microsoft Corporation)
 
 
========== Win32 Services (SafeList) ==========
 
SRV - (Off-Helper) -- C:\Programme\Hobbyist Software\Off-Helper\Off-Helper Service.exe (Microsoft)
SRV - (Steam Client Service) -- C:\Program Files\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (SbieSvc) -- C:\Program Files\Sandboxie\SbieSvc.exe (tzuk)
SRV - (rpcapd) Remote Packet Capture Protocol v.0 (experimental) -- C:\Program Files\WinPcap\rpcapd.exe (CACE Technologies, Inc.)
SRV - (TeamViewer5) -- C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe (TeamViewer GmbH)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (DynDNS Updater) -- C:\Programme\DynDNS Updater\DynUpSvc.exe (Dynamic Network Services, Inc.)
SRV - (Stereo Service) -- C:\Programme\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
SRV - (NAUpdate) -- C:\Program Files\Nero\Update\NASvc.exe (Nero AG)
SRV - (LVPrcSrv) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.)
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (StorSvc) -- C:\Windows\System32\StorSvc.dll (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (VMCService) -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe (Vodafone)
SRV - (EpsonBidirectionalService) -- C:\Programme\Common Files\EPSON\eEBAPI\eEBSvc.exe (SEIKO EPSON CORPORATION)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (LVRS) -- C:\Windows\System32\drivers\lvrs.sys (Logitech Inc.)
DRV - (SbieDrv) -- C:\Programme\Sandboxie\SbieDrv.sys (tzuk)
DRV - (NPF) -- C:\Windows\System32\drivers\npf.sys (CACE Technologies, Inc.)
DRV - (VBoxUSBMon) -- C:\Windows\System32\drivers\VBoxUSBMon.sys (Oracle Corporation)
DRV - (VBoxDrv) -- C:\Windows\System32\drivers\VBoxDrv.sys (Oracle Corporation)
DRV - (VBoxNetFlt) -- C:\Windows\System32\drivers\VBoxNetFlt.sys (Oracle Corporation)
DRV - (VBoxNetAdp) -- C:\Windows\System32\drivers\VBoxNetAdp.sys (Oracle Corporation)
DRV - (sptd) -- C:\Windows\System32\Drivers\sptd.sys ()
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH)
DRV - (ZTEusbser6k) -- C:\Windows\System32\drivers\ZTEusbser6k.sys (ZTE Incorporated)
DRV - (ZTEusbnmea) -- C:\Windows\System32\drivers\ZTEusbnmea.sys (ZTE Incorporated)
DRV - (ZTEusbmdm6k) -- C:\Windows\System32\drivers\ZTEusbmdm6k.sys (ZTE Incorporated)
DRV - (LVUVC) Logitech Webcam 200(UVC) -- C:\Windows\System32\drivers\lvuvc.sys (Logitech Inc.)
DRV - (lvpopflt) -- C:\Windows\System32\drivers\lvpopflt.sys (Logitech Inc.)
DRV - (LVPr2Mon) -- C:\Windows\System32\drivers\LVPr2Mon.sys ()
DRV - (ZTEusbnet) -- C:\Windows\System32\drivers\ZTEusbnet.sys (ZTE Corporation)
DRV - (vmbus) -- C:\Windows\system32\DRIVERS\vmbus.sys (Microsoft Corporation)
DRV - (storflt) -- C:\Windows\system32\DRIVERS\vmstorfl.sys (Microsoft Corporation)
DRV - (storvsc) -- C:\Windows\system32\DRIVERS\storvsc.sys (Microsoft Corporation)
DRV - (vwifimp) -- C:\Windows\System32\drivers\vwifimp.sys (Microsoft Corporation)
DRV - (WinUsb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
DRV - (s3cap) -- C:\Windows\system32\DRIVERS\vms3cap.sys (Microsoft Corporation)
DRV - (VMBusHID) -- C:\Windows\system32\DRIVERS\VMBusHID.sys (Microsoft Corporation)
DRV - (netr73) -- C:\Windows\System32\drivers\netr73.sys (Ralink Technology, Corp.)
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvm62x32.sys (NVIDIA Corporation)
DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (massfilter) -- C:\Windows\System32\drivers\massfilter.sys (ZTE Incorporated)
DRV - (ZTEusbvoice) -- C:\Windows\System32\drivers\zteusbvoice.sys (ZTE Incorporated)
DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgio) -- C:\Programme\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (irsir) -- C:\Windows\System32\drivers\irsir.sys (Microsoft Corporation)
DRV - (sscdmdm) -- C:\Windows\System32\drivers\sscdmdm.sys (MCCI)
DRV - (sscdmdfl) -- C:\Windows\System32\drivers\sscdmdfl.sys (MCCI)
DRV - (sscdbus) SAMSUNG USB Composite Device driver (WDM) -- C:\Windows\System32\drivers\sscdbus.sys (MCCI)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-2410171022-1210043899-1249919164-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-2410171022-1210043899-1249919164-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKU\S-1-5-21-2410171022-1210043899-1249919164-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 43 41 52 07 50 B0 CB 01  [binary data]
IE - HKU\S-1-5-21-2410171022-1210043899-1249919164-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2410171022-1210043899-1249919164-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
========== FireFox ==========
 
FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de/ig?hl=de"
FF - prefs.js..extensions.enabledItems: {B17C1C5A-04B1-11DB-9804-B622A1EF5492}:1.2.1
FF - prefs.js..extensions.enabledItems: foxyproxy@eric.h.jung:2.22.5
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:5.0.0.6906
FF - prefs.js..extensions.enabledItems: {d57c9ff1-6389-48fc-b770-f78bd89b6e8a}:1.33
FF - prefs.js..network.proxy.backup.ftp: "213.203.203.52"
FF - prefs.js..network.proxy.backup.ftp_port: 1338
FF - prefs.js..network.proxy.backup.gopher: "213.203.203.52"
FF - prefs.js..network.proxy.backup.gopher_port: 1338
FF - prefs.js..network.proxy.backup.socks: "213.203.203.52"
FF - prefs.js..network.proxy.backup.socks_port: 1338
FF - prefs.js..network.proxy.backup.ssl: "213.203.203.52"
FF - prefs.js..network.proxy.backup.ssl_port: 1338
FF - prefs.js..network.proxy.ftp: "92.241.190.219"
FF - prefs.js..network.proxy.ftp_port: 4334
FF - prefs.js..network.proxy.gopher: "92.241.190.219"
FF - prefs.js..network.proxy.gopher_port: 4334
FF - prefs.js..network.proxy.http: "92.241.190.219"
FF - prefs.js..network.proxy.http_port: 4334
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "92.241.190.219"
FF - prefs.js..network.proxy.socks_port: 4334
FF - prefs.js..network.proxy.ssl: "92.241.190.219"
FF - prefs.js..network.proxy.ssl_port: 4334
FF - prefs.js..network.proxy.type: 0
 
 
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.03.21 13:16:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011.03.21 13:16:24 | 000,000,000 | ---D | M]
 
[2010.04.15 11:59:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\FrankHE\AppData\Roaming\mozilla\Extensions
[2011.03.22 16:42:10 | 000,000,000 | ---D | M] (No name found) -- C:\Users\FrankHE\AppData\Roaming\mozilla\Firefox\Profiles\pga6o29z.default\extensions
[2010.09.02 10:11:50 | 000,000,000 | ---D | M] (Password Exporter) -- C:\Users\FrankHE\AppData\Roaming\mozilla\Firefox\Profiles\pga6o29z.default\extensions\{B17C1C5A-04B1-11DB-9804-B622A1EF5492}
[2011.01.31 14:21:42 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\FrankHE\AppData\Roaming\mozilla\Firefox\Profiles\pga6o29z.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011.01.10 00:02:10 | 000,000,000 | ---D | M] ("SearchStatus") -- C:\Users\FrankHE\AppData\Roaming\mozilla\Firefox\Profiles\pga6o29z.default\extensions\{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
[2011.01.31 14:21:49 | 000,000,000 | ---D | M] (FoxyProxy Standard) -- C:\Users\FrankHE\AppData\Roaming\mozilla\Firefox\Profiles\pga6o29z.default\extensions\foxyproxy@eric.h.jung
[2011.01.31 14:21:46 | 000,000,000 | ---D | M] (IE Tab Plus) -- C:\Users\FrankHE\AppData\Roaming\mozilla\Firefox\Profiles\pga6o29z.default\extensions\ietab@ip.cn
[2010.09.09 16:59:06 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions
[2011.01.02 14:52:03 | 000,000,000 | ---D | M] (Skype extension) -- C:\Programme\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2011.01.02 14:52:03 | 000,000,000 | ---D | M] (Skype extension) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{AB2CE124-6272-4B12-94A9-7303C7397BD1}
[2010.04.21 18:59:29 | 000,000,000 | ---D | M] (Java Console) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
[2010.07.23 09:27:16 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2010.07.23 09:27:16 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2010.07.23 09:27:16 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2010.07.23 09:27:16 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2010.07.23 09:27:16 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2009.10.24 22:56:17 | 000,001,961 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 practivate.adobe.com
O1 - Hosts: 127.0.0.1 adobeereg.com
O1 - Hosts: 127.0.0.1 hxxp://www.adobeereg.com
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 activate-sea.adobe.com
O1 - Hosts: 127.0.0.1 activate-sjc0.adobe.com
O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com
O1 - Hosts: 127.0.0.1 192.150.18.108
O1 - Hosts: 127.0.0.1 activate.adobe.com:443
O1 - Hosts: 127.0.0.1 3dns-3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobeereg.com
O1 - Hosts: 127.0.0.1 www.adobeereg.com
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 activate-sea.adobe.com
O1 - Hosts: 127.0.0.1 activate-sjc0.adobe.com
O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com
O1 - Hosts: 127.0.0.1 192.150.18.108
O1 - Hosts: 127.0.0.1 adobeereg.com
O1 - Hosts: 127.0.0.1 www.adobeereg.com
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 activate-sea.adobe.com
O1 - Hosts: 127.0.0.1 activate-sjc0.adobe.com
O1 - Hosts: 14 more lines...
O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Nero Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} -  File not found
O2 - BHO: (FlashFXP Helper for Internet Explorer) - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Programme\FlashFXP\IEFlash.dll (IniCom Networks, Inc.)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Programme\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Nero Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} -  File not found
O3 - HKU\S-1-5-21-2410171022-1210043899-1249919164-1000\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-2410171022-1210043899-1249919164-1000\..\Toolbar\WebBrowser: (Nero Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} -  File not found
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [Hobbyist Software On-Off Helper] C:\Program Files\Hobbyist Software\Off-Helper\Off-Helper Configuration.exe (Microsoft)
O4 - HKU\S-1-5-21-2410171022-1210043899-1249919164-1000..\Run: [EPSON Stylus SX600FW(Netzwerk)] C:\Windows\System32\spool\DRIVERS\W32X86\3\E_FATIEKE.EXE (SEIKO EPSON CORPORATION)
O4 - HKU\S-1-5-21-2410171022-1210043899-1249919164-1000..\Run: [VoipBuster]  File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - Startup: C:\Users\FrankHE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 95
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O8 - Extra context menu item: &NeoTrace It! - C:\Programme\NeoTrace Express\NTXcontext.htm ()
O8 - Extra context menu item: An vorhandene PDF-Datei anfügen - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: In Adobe PDF konvertieren - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Linkziel an vorhandene PDF-Datei anhängen - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Linkziel in Adobe PDF konvertieren - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} -  File not found
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} -  File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Windows\System32\PrxerNsp.dll (Initex Software)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\PrxerDrv.dll (Initex Software)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Windows\System32\PrxerDrv.dll (Initex Software)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{20739e4a-e1c7-11df-a0c2-08002700a0d9}\Shell - "" = AutoRun
O33 - MountPoints2\{20739e4a-e1c7-11df-a0c2-08002700a0d9}\Shell\AutoRun\command - "" = F:\Startup.exe
O33 - MountPoints2\{3f8f54aa-4bd8-11df-b652-89c3375f2fa9}\Shell - "" = AutoRun
O33 - MountPoints2\{3f8f54aa-4bd8-11df-b652-89c3375f2fa9}\Shell\AutoRun\command - "" = G:\Setup.exe -auto
O33 - MountPoints2\{51c547a0-93f2-11df-b494-f32a10b47706}\Shell - "" = AutoRun
O33 - MountPoints2\{51c547a0-93f2-11df-b494-f32a10b47706}\Shell\AutoRun\command - "" = I:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{bb051288-9376-11df-9e84-92b101b3cdc5}\Shell - "" = AutoRun
O33 - MountPoints2\{bb051288-9376-11df-9e84-92b101b3cdc5}\Shell\AutoRun\command - "" = I:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{c04f3b29-9185-11df-a16e-08002700a0d9}\Shell\Option1\Command - "" = H:\HBCD\Wintools\Autorun.exe
O33 - MountPoints2\{ccc4abe5-9633-11df-9639-08002700a0d9}\Shell - "" = AutoRun
O33 - MountPoints2\{ccc4abe5-9633-11df-9639-08002700a0d9}\Shell\AutoRun\command - "" = F:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{d7d14061-9296-11df-b980-08002700a0d9}\Shell - "" = AutoRun
O33 - MountPoints2\{d7d14061-9296-11df-b980-08002700a0d9}\Shell\AutoRun\command - "" = I:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\I\Shell - "" = AutoRun
O33 - MountPoints2\I\Shell\AutoRun\command - "" = I:\setup_vmc_lite.exe /checkApplicationPresence
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
NetSvcs: FastUserSwitchingCompatibility -  File not found
NetSvcs: Ias -  File not found
NetSvcs: Nla -  File not found
NetSvcs: Ntmssvc -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: SRService -  File not found
NetSvcs: WmdmPmSp -  File not found
NetSvcs: LogonHours -  File not found
NetSvcs: PCAudit -  File not found
NetSvcs: helpsvc -  File not found
NetSvcs: uploadmgr -  File not found
 
MsConfig - StartUpFolder: C:^Users^FrankHE^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech Touch Mouse Server.lnk - C:\Programme\Logitech Touch Mouse Server\iTouch-Server-Win.exe - (Logitech, Inc.)
MsConfig - StartUpReg: Acrobat Assistant 8.0 - hkey= - key= - C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
MsConfig - StartUpReg: Adobe Acrobat Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: Adobe ARM - hkey= - key= - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: AppleSyncNotifier - hkey= - key= - C:\Programme\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Apple Inc.)
MsConfig - StartUpReg: autodetect - hkey= - key= -  File not found
MsConfig - StartUpReg: DAEMON Tools Lite - hkey= - key= - C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
MsConfig - StartUpReg: DivXUpdate - hkey= - key= - C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
MsConfig - StartUpReg: hsfe8owijfisjhgs7ye39gjsoighsd7y3eu - hkey= - key= -  File not found
MsConfig - StartUpReg: hsfg9w8gujsokgahi8gysgnsdgefshyjy - hkey= - key= -  File not found
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
MsConfig - StartUpReg: LightScribe Control Panel - hkey= - key= - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe (Hewlett-Packard Company)
MsConfig - StartUpReg: LogitechQuickCamRibbon - hkey= - key= - C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe ()
MsConfig - StartUpReg: mcexecwin - hkey= - key= -  File not found
MsConfig - StartUpReg: MobileConnect - hkey= - key= -  File not found
MsConfig - StartUpReg: moonxxxxxx.exe - hkey= - key= -  File not found
MsConfig - StartUpReg: NBAgent - hkey= - key= - C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe (Nero AG)
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
MsConfig - StartUpReg: SandboxieControl - hkey= - key= - C:\Program Files\Sandboxie\SbieCtrl.exe (tzuk)
MsConfig - StartUpReg: Skype - hkey= - key= - C:\Program Files\Skype\Phone\Skype.exe (Skype Technologies S.A.)
MsConfig - StartUpReg: Steam - hkey= - key= - C:\Program Files\Steam\Steam.exe (Valve Corporation)
MsConfig - StartUpReg: userinit - hkey= - key= -  File not found
MsConfig - StartUpReg: winupdater - hkey= - key= -  File not found
MsConfig - StartUpReg: {C1ACEF5A-2A0E-D0B1-CDAA-842E66CBF2E8} - hkey= - key= -  File not found
MsConfig - State: "startup" - 2
 
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: NTDS -  File not found
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vmms - Service
SafeBootMin: WinDefend - C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices
 
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: HelpSvc - Service
SafeBootNet: Messenger - Service
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: NTDS -  File not found
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: rdsessmgr - Service
SafeBootNet: sacsvr - Service
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vmms - Service
SafeBootNet: WinDefend - C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootNet: WudfUsbccidDriver - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers
SafeBootNet: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootNet: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootNet: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootNet: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices
 
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX: {25FFAAD0-F4A3-4164-95FF-4461E9F35D51} - .NET Framework
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\System32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\System32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
 
Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: MSVideo - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\Windows\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.ffds - C:\Programme\Combined Community Codec Pack\Filters\FFDShow\ff_vfw.dll ()
Drivers32: vidc.i420 - C:\Windows\System32\lvcodec2.dll (Logitech Inc.)
Drivers32: VIDC.WMV3 - C:\Windows\System32\wmv9vcm.dll (Microsoft Corporation)
Drivers32: vidc.yv12 - C:\Windows\System32\DivX.dll (DivX, Inc.)

 
========== Files/Folders - Created Within 30 Days ==========
 
[2011.03.21 17:04:54 | 000,000,000 | ---D | C] -- C:\Users\FrankHE\AppData\Local\Nero
[2011.03.21 13:25:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2011.03.21 13:24:24 | 000,000,000 | ---D | C] -- C:\Programme\iPod
[2011.03.21 13:24:23 | 000,000,000 | ---D | C] -- C:\Programme\iTunes
[2011.03.21 13:17:12 | 000,000,000 | ---D | C] -- C:\Programme\Safari
[2011.03.21 13:16:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2011.03.21 13:16:01 | 000,000,000 | ---D | C] -- C:\Programme\QuickTime
[2011.03.21 13:14:31 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011.03.18 23:37:20 | 000,000,000 | ---D | C] -- C:\Users\FrankHE\AppData\Roaming\Mumble
[2011.03.18 22:44:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mumble
[2011.03.18 22:44:48 | 000,000,000 | ---D | C] -- C:\Programme\Mumble
[2011.03.18 20:40:01 | 000,000,000 | ---D | C] -- C:\Users\FrankHE\AppData\Roaming\EPSON
[2011.03.17 00:35:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LAB1.de
[2011.03.17 00:35:50 | 000,000,000 | ---D | C] -- C:\Programme\Tools&More
[2011.03.17 00:35:12 | 000,000,000 | ---D | C] -- C:\Windows\Downloaded Installations
[2011.03.14 14:43:17 | 000,135,168 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\Windows\System32\EEBAPI.dll
[2011.03.14 14:43:17 | 000,065,536 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\Windows\System32\EEBUtil.dll
[2011.03.14 14:43:15 | 000,000,000 | ---D | C] -- C:\Users\FrankHE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\EPSON
[2011.03.14 14:42:55 | 000,110,592 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\Windows\System32\EEBDSCVR.dll
[2011.03.14 14:42:55 | 000,077,824 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\Windows\System32\EBAPI.dll
[2011.03.14 14:42:55 | 000,055,808 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\Windows\System32\EEBSDKIF.dll
[2011.03.14 14:42:54 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\EPSON
[2011.03.14 14:42:52 | 000,474,892 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\Windows\System32\ensppmon.dll
[2011.03.14 14:42:52 | 000,474,892 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\Windows\System32\enppmon.dll
[2011.03.14 14:42:52 | 000,457,099 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\Windows\System32\ensppui.dll
[2011.03.14 14:42:52 | 000,457,099 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\Windows\System32\enppui.dll
[2011.03.14 14:42:52 | 000,250,880 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\Windows\System32\enspres.dll
[2011.03.14 14:42:52 | 000,250,880 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\Windows\System32\enpres.dll
[2011.03.14 14:42:52 | 000,000,000 | ---D | C] -- C:\Programme\EpsonNet
[2011.03.14 13:12:36 | 000,501,912 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\Windows\System32\PICSDK2.dll
[2011.03.14 13:12:36 | 000,120,992 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\Windows\System32\EpPicPrt.dll
[2011.03.14 13:12:36 | 000,108,704 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\Windows\System32\PICEntry.dll
[2011.03.14 13:12:36 | 000,080,024 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\Windows\System32\PICSDK.dll
[2011.03.14 13:12:36 | 000,071,840 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\Windows\System32\EPPicMgr.dll
[2011.03.14 13:12:34 | 000,000,000 | ---D | C] -- C:\Users\FrankHE\AppData\Roaming\InstallShield
[2011.03.14 13:12:09 | 000,086,528 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\Windows\System32\E_FLBEKE.DLL
[2011.03.14 13:12:07 | 000,078,848 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\Windows\System32\E_FD4BEKE.DLL
[2011.03.14 13:11:42 | 000,071,680 | ---- | C] (SEIKO EPSON CORP.) -- C:\Windows\System32\escwiad.dll
[2011.03.14 13:11:42 | 000,009,216 | ---- | C] (SEIKO EPSON CORP.) -- C:\Windows\System32\escdev.dll
[2011.03.14 13:11:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EPSON
[2011.03.14 13:11:40 | 000,000,000 | ---D | C] -- C:\Programme\epson
[2011.03.09 11:04:26 | 000,850,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sbe.dll
[2011.03.09 11:04:26 | 000,642,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\CPFilters.dll
[2011.03.09 11:04:26 | 000,534,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll
[2011.03.09 11:04:26 | 000,199,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax
[2011.03.06 00:22:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Hobbyist Software
[2011.03.06 00:22:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Off-Helper
[2011.03.06 00:22:03 | 000,000,000 | ---D | C] -- C:\Programme\Hobbyist Software
[2011.02.26 22:55:39 | 000,000,000 | ---D | C] -- C:\Users\FrankHE\AppData\Local\WBFSManager
[2011.02.26 22:55:04 | 000,000,000 | ---D | C] -- C:\Users\FrankHE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WBFS Manager
[2011.02.26 22:55:03 | 000,000,000 | ---D | C] -- C:\Users\FrankHE\Documents\WBFS Manager Covers
[2011.02.26 22:55:03 | 000,000,000 | ---D | C] -- C:\Programme\WBFS
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2011.03.23 15:27:02 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011.03.23 11:39:57 | 000,021,408 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011.03.23 11:39:57 | 000,021,408 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011.03.23 11:32:18 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011.03.23 11:32:07 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011.03.23 11:32:07 | 000,000,000 | ---- | M] () -- C:\Windows\System32\drivers\lvuvc.hs
[2011.03.23 11:32:01 | 1610,063,872 | -HS- | M] () -- C:\hiberfil.sys
[2011.03.22 20:32:40 | 000,140,248 | ---- | M] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2011.03.22 20:32:30 | 000,266,400 | ---- | M] () -- C:\Windows\System32\PnkBstrB.xtr
[2011.03.22 20:30:29 | 000,215,128 | ---- | M] () -- C:\Windows\System32\PnkBstrB.ex0
[2011.03.21 13:25:22 | 000,001,763 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011.03.21 13:17:34 | 000,001,152 | ---- | M] () -- C:\Windows\System32\mapisvc.inf
[2011.03.18 23:38:28 | 000,002,386 | ---- | M] () -- C:\Users\FrankHE\Documents\MumbleAutomaticCertificateBackup.p12
[2011.03.13 16:48:22 | 006,704,124 | ---- | M] () -- C:\Users\FrankHE\Desktop\Bandansage2.wav
[2011.03.10 17:27:58 | 000,256,413 | ---- | M] () -- C:\Users\FrankHE\Documents\versuch 5.wma
[2011.03.10 17:27:26 | 000,233,963 | ---- | M] () -- C:\Users\FrankHE\Documents\Versuch 4.wma
[2011.03.10 17:25:27 | 000,166,613 | ---- | M] () -- C:\Users\FrankHE\Documents\Unbenannt.wma
[2011.03.10 16:01:47 | 000,211,513 | ---- | M] () -- C:\Users\FrankHE\Documents\test.wma
[2011.03.06 10:01:26 | 000,001,917 | ---- | M] () -- C:\Users\FrankHE\Desktop\Mozilla Firefox.lnk
[2011.03.06 00:22:18 | 000,001,024 | ---- | M] () -- C:\Windows\System32\.rnd
[2011.03.06 00:22:18 | 000,001,024 | ---- | M] () -- C:\.rnd
[2011.03.01 23:06:17 | 000,042,886 | ---- | M] () -- C:\Users\FrankHE\Documents\IMG_2525.jpg
[2011.02.28 23:24:16 | 000,511,827 | ---- | M] () -- C:\Users\FrankHE\Documents\WHS_2371c.jpg
[2011.02.26 20:32:48 | 000,518,034 | ---- | M] () -- C:\Users\FrankHE\Documents\dreaming 3.m4a
[2011.02.25 23:12:18 | 001,317,909 | ---- | M] () -- C:\Users\FrankHE\Documents\053_53.JPG
[2011.02.25 23:09:19 | 001,451,863 | ---- | M] () -- C:\Users\FrankHE\Documents\085_85.JPG
[2011.02.25 23:09:08 | 000,035,587 | ---- | M] () -- C:\Users\FrankHE\Documents\1-2e159a3a1427493b395e72a98980f6ae.jpg
[2011.02.25 23:08:11 | 001,330,014 | ---- | M] () -- C:\Users\FrankHE\Documents\066_66.JPG
[2011.02.25 23:06:59 | 000,941,294 | ---- | M] () -- C:\Users\FrankHE\Documents\070_70.JPG
[2011.02.25 23:05:03 | 001,274,993 | ---- | M] () -- C:\Users\FrankHE\Documents\054_54.JPG
[2011.02.25 23:02:36 | 001,202,657 | ---- | M] () -- C:\Users\FrankHE\Documents\017_17.JPG
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2011.03.21 13:25:22 | 000,001,763 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011.03.21 13:17:17 | 000,002,491 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Safari.lnk
[2011.03.18 23:38:28 | 000,002,386 | ---- | C] () -- C:\Users\FrankHE\Documents\MumbleAutomaticCertificateBackup.p12
[2011.03.14 14:43:14 | 000,001,120 | ---- | C] () -- C:\Windows\System32\E_ADDNET.DAT
[2011.03.14 13:12:36 | 000,111,932 | ---- | C] () -- C:\Windows\System32\EPPICPrinterDB.dat
[2011.03.14 13:12:36 | 000,031,053 | ---- | C] () -- C:\Windows\System32\EPPICPattern131.dat
[2011.03.14 13:12:36 | 000,027,417 | ---- | C] () -- C:\Windows\System32\EPPICPattern121.dat
[2011.03.14 13:12:36 | 000,026,154 | ---- | C] () -- C:\Windows\System32\EPPICPattern1.dat
[2011.03.14 13:12:36 | 000,024,903 | ---- | C] () -- C:\Windows\System32\EPPICPattern3.dat
[2011.03.14 13:12:36 | 000,021,390 | ---- | C] () -- C:\Windows\System32\EPPICPattern5.dat
[2011.03.14 13:12:36 | 000,020,148 | ---- | C] () -- C:\Windows\System32\EPPICPattern2.dat
[2011.03.14 13:12:36 | 000,013,732 | ---- | C] () -- C:\Windows\System32\EPPICLocal_EN.cfg
[2011.03.14 13:12:36 | 000,011,811 | ---- | C] () -- C:\Windows\System32\EPPICPattern4.dat
[2011.03.14 13:12:36 | 000,006,442 | ---- | C] () -- C:\Windows\System32\EPPICLocal_IT.cfg
[2011.03.14 13:12:36 | 000,006,335 | ---- | C] () -- C:\Windows\System32\EPPICLocal_GE.cfg
[2011.03.14 13:12:36 | 000,006,195 | ---- | C] () -- C:\Windows\System32\EPPICLocal_FR.cfg
[2011.03.14 13:12:36 | 000,006,195 | ---- | C] () -- C:\Windows\System32\EPPICLocal_CF.cfg
[2011.03.14 13:12:36 | 000,006,122 | ---- | C] () -- C:\Windows\System32\EPPICLocal_DU.cfg
[2011.03.14 13:12:36 | 000,006,103 | ---- | C] () -- C:\Windows\System32\EPPICLocal_ES.cfg
[2011.03.14 13:12:36 | 000,005,817 | ---- | C] () -- C:\Windows\System32\EPPICLocal_KO.cfg
[2011.03.14 13:12:36 | 000,005,436 | ---- | C] () -- C:\Windows\System32\EPPICLocal_SC.cfg
[2011.03.14 13:12:36 | 000,004,943 | ---- | C] () -- C:\Windows\System32\EPPICPattern6.dat
[2011.03.14 13:12:36 | 000,002,889 | ---- | C] () -- C:\Windows\System32\EPPICLocal_RU.cfg
[2011.03.14 13:12:36 | 000,002,426 | ---- | C] () -- C:\Windows\System32\EPPICLocal_TC.cfg
[2011.03.14 13:12:36 | 000,001,146 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_DU.dat
[2011.03.14 13:12:36 | 000,001,139 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_PT.dat
[2011.03.14 13:12:36 | 000,001,139 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_BP.dat
[2011.03.14 13:12:36 | 000,001,136 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_ES.dat
[2011.03.14 13:12:36 | 000,001,129 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_FR.dat
[2011.03.14 13:12:36 | 000,001,129 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_CF.dat
[2011.03.14 13:12:36 | 000,001,120 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_IT.dat
[2011.03.14 13:12:36 | 000,001,107 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_GE.dat
[2011.03.14 13:12:36 | 000,001,104 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_EN.dat
[2011.03.14 13:12:36 | 000,000,097 | ---- | C] () -- C:\Windows\System32\PICSDK.ini
[2011.03.14 13:12:35 | 000,006,347 | ---- | C] () -- C:\Windows\System32\EPPICLocal_PT.cfg
[2011.03.14 13:12:35 | 000,006,347 | ---- | C] () -- C:\Windows\System32\EPPICLocal_BP.cfg
[2011.03.13 16:42:46 | 006,704,124 | ---- | C] () -- C:\Users\FrankHE\Desktop\Bandansage2.wav
[2011.03.10 17:27:58 | 000,256,413 | ---- | C] () -- C:\Users\FrankHE\Documents\versuch 5.wma
[2011.03.10 17:27:26 | 000,233,963 | ---- | C] () -- C:\Users\FrankHE\Documents\Versuch 4.wma
[2011.03.10 17:25:27 | 000,166,613 | ---- | C] () -- C:\Users\FrankHE\Documents\Unbenannt.wma
[2011.03.10 16:01:47 | 000,211,513 | ---- | C] () -- C:\Users\FrankHE\Documents\test.wma
[2011.03.06 10:01:26 | 000,001,917 | ---- | C] () -- C:\Users\FrankHE\Desktop\Mozilla Firefox.lnk
[2011.03.06 00:22:18 | 000,001,024 | ---- | C] () -- C:\Windows\System32\.rnd
[2011.03.06 00:22:18 | 000,001,024 | ---- | C] () -- C:\.rnd
[2011.03.01 23:06:15 | 000,042,886 | ---- | C] () -- C:\Users\FrankHE\Documents\IMG_2525.jpg
[2011.02.28 23:23:53 | 000,511,827 | ---- | C] () -- C:\Users\FrankHE\Documents\WHS_2371c.jpg
[2011.02.26 20:32:29 | 000,518,034 | ---- | C] () -- C:\Users\FrankHE\Documents\dreaming 3.m4a
[2011.02.25 23:09:20 | 001,317,909 | ---- | C] () -- C:\Users\FrankHE\Documents\053_53.JPG
[2011.02.25 23:09:02 | 000,035,587 | ---- | C] () -- C:\Users\FrankHE\Documents\1-2e159a3a1427493b395e72a98980f6ae.jpg
[2011.02.25 23:08:51 | 001,451,863 | ---- | C] () -- C:\Users\FrankHE\Documents\085_85.JPG
[2011.02.25 23:07:52 | 001,330,014 | ---- | C] () -- C:\Users\FrankHE\Documents\066_66.JPG
[2011.02.25 23:06:44 | 000,941,294 | ---- | C] () -- C:\Users\FrankHE\Documents\070_70.JPG
[2011.02.25 23:04:42 | 001,274,993 | ---- | C] () -- C:\Users\FrankHE\Documents\054_54.JPG
[2011.02.25 23:02:18 | 001,202,657 | ---- | C] () -- C:\Users\FrankHE\Documents\017_17.JPG
[2011.01.06 19:29:37 | 000,001,025 | ---- | C] () -- C:\Windows\System32\sysprs7.dll
[2011.01.06 19:29:37 | 000,000,205 | ---- | C] () -- C:\Windows\System32\lsprst7.dll
[2010.12.07 23:16:19 | 000,000,000 | ---- | C] () -- C:\Users\FrankHE\AppData\Roaming\Sick.key
[2010.11.10 02:31:42 | 000,026,286 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini
[2010.09.14 12:38:20 | 000,001,057 | ---- | C] () -- C:\Users\FrankHE\AppData\Roaming\vso_ts_preview.xml
[2010.07.24 22:51:24 | 000,007,598 | ---- | C] () -- C:\Users\FrankHE\AppData\Local\Resmon.ResmonCfg
[2010.07.24 21:02:01 | 000,165,383 | ---- | C] () -- C:\Windows\Video Cleaner Pro Uninstaller.exe
[2010.07.24 20:59:28 | 000,001,666 | ---- | C] () -- C:\Windows\Sandboxie.ini
[2010.07.14 22:34:43 | 000,000,184 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2010.06.25 18:03:12 | 000,053,299 | ---- | C] () -- C:\Windows\System32\pthreadVC.dll
[2010.05.23 14:41:18 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010.05.04 19:04:57 | 000,000,256 | ---- | C] () -- C:\Users\FrankHE\AppData\Roaming\Current.prx
[2010.04.15 17:09:55 | 000,140,248 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2010.04.15 17:09:55 | 000,138,056 | ---- | C] () -- C:\Users\FrankHE\AppData\Roaming\PnkBstrK.sys
[2010.04.15 17:09:25 | 000,266,400 | ---- | C] () -- C:\Windows\System32\PnkBstrB.exe
[2010.04.15 17:09:24 | 002,434,856 | ---- | C] () -- C:\Windows\System32\pbsvc_bc2.exe
[2010.04.15 17:09:24 | 000,075,136 | ---- | C] () -- C:\Windows\System32\PnkBstrA.exe
[2009.10.07 01:46:36 | 000,025,752 | ---- | C] () -- C:\Windows\System32\drivers\LVPr2Mon.sys
[2009.10.07 01:23:08 | 000,013,584 | ---- | C] () -- C:\Windows\System32\drivers\iKeyLFT2.dll
[2009.07.14 09:47:43 | 000,653,928 | ---- | C] () -- C:\Windows\System32\perfh007.dat
[2009.07.14 09:47:43 | 000,295,922 | ---- | C] () -- C:\Windows\System32\perfi007.dat
[2009.07.14 09:47:43 | 000,129,800 | ---- | C] () -- C:\Windows\System32\perfc007.dat
[2009.07.14 09:47:43 | 000,038,104 | ---- | C] () -- C:\Windows\System32\perfd007.dat
[2009.07.14 05:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009.07.14 05:33:53 | 000,370,960 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009.07.14 03:05:48 | 000,615,810 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009.07.14 03:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009.07.14 03:05:48 | 000,106,190 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009.07.14 03:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009.07.14 03:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009.07.14 03:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009.07.14 01:19:49 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2009.07.14 00:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009.07.14 00:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009.07.14 00:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009.06.10 22:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2009.04.09 12:44:42 | 000,108,066 | R--- | C] () -- C:\ProgramData\DeviceManager.xml.rc4
[2008.10.28 16:40:48 | 000,173,552 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
 
========== LOP Check ==========
 
[2010.07.27 20:17:50 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\2A48AB0D48B436F627B2BC16CDEE169B
[2010.05.19 13:02:03 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\7A4C10C5A785B11E43D75B44F739911D
[2010.07.27 23:42:03 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Any DVD Shrink
[2010.04.19 20:05:38 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\DAEMON Tools Lite
[2011.03.18 20:40:01 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\EPSON
[2010.09.09 19:05:04 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\FileZilla
[2010.07.06 11:51:30 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\FreeFLVConverter
[2010.12.03 12:41:39 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\GetRightToGo
[2010.04.22 13:47:49 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\ImgBurn
[2010.12.03 13:07:06 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Leadertech
[2010.05.24 19:59:14 | 000,000,000 | -HSD | M] -- C:\Users\FrankHE\AppData\Roaming\lowsec
[2011.03.18 23:38:30 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Mumble
[2011.01.06 16:23:21 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Onozyp
[2010.07.24 21:02:00 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\River Past G5
[2010.07.22 17:18:19 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\TeamViewer
[2010.06.12 13:46:53 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Telstra
[2010.04.15 12:14:37 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Trillian
[2010.07.30 19:42:23 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\TS3Client
[2010.07.21 11:59:33 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\UseNeXT
[2010.07.19 20:59:26 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Vodafone
[2010.09.20 12:58:08 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\VoipBuster
[2011.01.31 18:28:01 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Vso
[2010.07.27 23:35:06 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\WinAVI
[2010.10.15 21:35:22 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Wireshark
[2011.01.09 22:41:32 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Yfti
[2010.12.03 14:07:52 | 000,032,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
 
< %ALLUSERSPROFILE%\Application Data\*. >
 
< %ALLUSERSPROFILE%\Application Data\*.exe /s >
 
< %APPDATA%\*. >
[2010.07.27 20:17:50 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\2A48AB0D48B436F627B2BC16CDEE169B
[2010.05.19 13:02:03 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\7A4C10C5A785B11E43D75B44F739911D
[2011.01.21 16:09:16 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Adobe
[2010.07.27 23:42:03 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Any DVD Shrink
[2010.07.06 10:55:50 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Apple Computer
[2010.04.19 19:29:52 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\AVS4YOU
[2010.04.19 20:05:38 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\DAEMON Tools Lite
[2010.07.27 19:17:06 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\DivX
[2010.07.28 00:53:32 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\DVD Shrink
[2011.03.20 17:12:41 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\dvdcss
[2011.03.18 20:40:01 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\EPSON
[2010.09.09 19:05:04 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\FileZilla
[2010.07.19 21:04:57 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\FLEXnet
[2010.07.06 11:51:30 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\FreeFLVConverter
[2010.12.03 12:41:39 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\GetRightToGo
[2010.04.15 11:40:54 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Identities
[2010.04.22 13:47:49 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\ImgBurn
[2011.03.14 13:12:34 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\InstallShield
[2010.12.03 13:07:06 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Leadertech
[2010.05.24 19:59:14 | 000,000,000 | -HSD | M] -- C:\Users\FrankHE\AppData\Roaming\lowsec
[2010.04.15 14:04:17 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Macromedia
[2009.07.14 09:56:56 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Media Center Programs
[2011.03.18 23:39:12 | 000,000,000 | --SD | M] -- C:\Users\FrankHE\AppData\Roaming\Microsoft
[2010.04.15 11:59:15 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Mozilla
[2011.02.19 23:30:58 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Mozilla-Cache
[2011.03.18 23:38:30 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Mumble
[2010.07.28 00:41:07 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Nero
[2010.09.14 12:20:07 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\NeroDigital(TM)
[2011.01.06 16:23:21 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Onozyp
[2010.07.24 21:02:00 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\River Past G5
[2010.04.15 20:08:48 | 000,000,000 | RH-D | M] -- C:\Users\FrankHE\AppData\Roaming\SecuROM
[2011.03.23 16:19:01 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Skype
[2011.03.23 16:00:41 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\skypePM
[2010.07.22 17:18:19 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\TeamViewer
[2010.06.12 13:46:53 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Telstra
[2010.04.15 12:14:37 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Trillian
[2010.07.30 19:42:23 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\TS3Client
[2010.10.27 14:25:27 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\U3
[2010.07.21 11:59:33 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\UseNeXT
[2011.03.23 13:48:18 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\vlc
[2010.06.27 19:04:38 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\VMware
[2010.07.19 20:59:26 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Vodafone
[2010.09.20 12:58:08 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\VoipBuster
[2011.01.31 18:28:01 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Vso
[2010.07.27 23:35:06 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\WinAVI
[2010.04.15 17:07:46 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\WinRAR
[2010.10.15 21:35:22 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Wireshark
[2011.01.09 22:41:32 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Yfti
 
< %APPDATA%\*.exe /s >
[2007.10.23 08:27:20 | 000,110,592 | ---- | M] () -- C:\Users\FrankHE\AppData\Roaming\U3\temp\cleanup.exe
[2008.05.02 09:41:48 | 003,493,888 | -H-- | M] (SanDisk Corporation) -- C:\Users\FrankHE\AppData\Roaming\U3\temp\Launchpad Removal.exe
 
< %SYSTEMDRIVE%\*.exe >
[2007.11.07 08:03:18 | 000,562,688 | ---- | M] (Microsoft Corporation) -- C:\install.exe
[1 C:\*.tmp files -> C:\*.tmp -> ]
 
 
< MD5 for: AGP440.SYS  >
[2007.10.09 16:15:40 | 016,734,399 | ---- | M] () .cab file -- C:\Downloads\$WIN_NT$.~LS\I386\sp2.cab:AGP440.sys
[2009.07.14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\drivers\AGP440.sys
[2009.07.14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_x86_neutral_65848c2d7375a720\AGP440.sys
[2009.07.14 02:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_b9e9435f20046eeb\AGP440.sys
 
< MD5 for: ATAPI.SYS  >
[2007.10.09 16:15:40 | 016,734,399 | ---- | M] () .cab file -- C:\Downloads\$WIN_NT$.~LS\I386\sp2.cab:atapi.sys
[2009.07.14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\drivers\atapi.sys
[2009.07.14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys
[2009.07.14 02:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys
 
< MD5 for: CNGAUDIT.DLL  >
[2009.07.14 02:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\System32\cngaudit.dll
[2009.07.14 02:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll
 
< MD5 for: EXPLORER.EXE  >
[2009.07.14 02:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=15BC38A7492BEFE831966ADB477CF76F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe
[2009.10.31 06:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\explorer.exe
[2009.10.31 06:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_51a66d6ddafc2ed1\explorer.exe
[2009.08.03 06:49:47 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=9FF6C4C91A3711C0A3B18F87B08B518D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_526619d4f3f142e6\explorer.exe
[2009.08.03 06:35:50 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=B95EEB0F4E5EFBF1038A35B3351CF047 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_51e07e31dad00878\explorer.exe
[2009.10.31 07:00:51 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=C76153C7ECA00FA852BB0C193378F917 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe
 
< MD5 for: IASTORV.SYS  >
[2009.07.14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\drivers\iaStorV.sys
[2009.07.14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_18cccb83b34e1453\iaStorV.sys
[2009.07.14 02:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000\iaStorV.sys
 
< MD5 for: NETLOGON.DLL  >
[2009.07.14 02:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\System32\netlogon.dll
[2009.07.14 02:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_fd8e0d66994d7dc8\netlogon.dll
 
< MD5 for: NVSTOR.SYS  >
[2009.07.14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\drivers\nvstor.sys
[2009.07.14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_5bde3fe2945bce9e\nvstor.sys
[2009.07.14 02:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_39b1194b205239d8\nvstor.sys
 
< MD5 for: SCECLI.DLL  >
[2009.07.14 02:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\System32\scecli.dll
[2009.07.14 02:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_37e4387f3a6f0483\scecli.dll
 
< MD5 for: USER32.DLL  >
[2009.07.14 02:16:17 | 000,811,520 | ---- | M] (Microsoft Corporation) MD5=34B7E222E81FAFA885F0C5F2CFA56861 -- C:\Windows\System32\user32.dll
[2009.07.14 02:16:17 | 000,811,520 | ---- | M] (Microsoft Corporation) MD5=34B7E222E81FAFA885F0C5F2CFA56861 -- C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
 
< MD5 for: USERINIT.EXE  >
[2009.07.14 02:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\System32\userinit.exe
[2009.07.14 02:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe
 
< MD5 for: VIAMRAID.SYS  >
[2006.11.08 13:25:24 | 000,116,688 | ---- | M] (VIA Technologies inc,.ltd) MD5=68B41DFA083C2734340BA254532700F3 -- C:\Users\FrankHE\Downloads\Archiv\PC0005A\drvdisk\i386\NT4\viamraid.sys
[2006.11.08 13:25:24 | 000,116,688 | ---- | M] (VIA Technologies inc,.ltd) MD5=68B41DFA083C2734340BA254532700F3 -- C:\Users\FrankHE\Downloads\Archiv\PC0005A\VIAStor\DRIVER\Raid\winnt40\viamraid.sys
[2006.11.08 13:23:52 | 000,102,912 | ---- | M] (VIA Technologies inc,.ltd) MD5=7DC3E1DC6E4F8BE381C31BFEA578412A -- C:\Users\FrankHE\Downloads\Archiv\PC0005A\drvdisk\i386\NT5\viamraid.sys
[2006.11.08 13:23:52 | 000,102,912 | ---- | M] (VIA Technologies inc,.ltd) MD5=7DC3E1DC6E4F8BE381C31BFEA578412A -- C:\Users\FrankHE\Downloads\Archiv\PC0005A\VIAStor\DRIVER\Raid\winxp\viamraid.sys
 
< MD5 for: WINLOGON.EXE  >
[2009.10.28 07:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\System32\winlogon.exe
[2009.10.28 07:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_6fc699643622d177\winlogon.exe
[2009.10.28 06:52:08 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=3BABE6767C78FBF5FB8435FEED187F30 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_703394514f56f7c2\winlogon.exe
[2009.07.14 02:14:45 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=8EC6A4AB12B8F3759E21F8E3A388F2CF -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_6f99573a36451166\winlogon.exe
 
< MD5 for: WS2IFSL.SYS  >
[2009.07.14 00:55:02 | 000,016,384 | ---- | M] (Microsoft Corporation) MD5=6DB3276587B853BF886B69528FDB048C -- C:\Windows\System32\drivers\ws2ifsl.sys
[2009.07.14 00:55:02 | 000,016,384 | ---- | M] (Microsoft Corporation) MD5=6DB3276587B853BF886B69528FDB048C -- C:\Windows\winsxs\x86_microsoft-windows-w..rastructure-ws2ifsl_31bf3856ad364e35_6.1.7600.16385_none_4f5cf6f829213bb2\ws2ifsl.sys
 
< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2010.04.19 16:52:37 | 000,691,696 | ---- | M] () Unable to obtain MD5 -- C:\Windows\System32\drivers\sptd.sys
 
< %systemroot%\System32\config\*.sav >
 
< %systemroot%\*. /mp /s >
 
< %systemroot%\system32\*.dll /lockedfiles >
[2009.07.14 02:15:13 | 000,346,112 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtmsft.dll
[2009.07.14 02:15:13 | 000,215,552 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtrans.dll
[2010.12.18 06:29:18 | 000,185,856 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\iepeers.dll
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:264B2CC4

< End of report >

--- --- ---

Und den ExtraOTL Logfile:

Code:

ATTFilter

OTL Extras logfile created on: 23.03.2011 16:17:34 - Run 1
OTL by OldTimer - Version 3.2.22.3     Folder = C:\Users\FrankHE\Downloads
 An unknown product  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 45,00% Memory free
4,00 Gb Paging File | 2,00 Gb Available in Paging File | 61,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232,88 Gb Total Space | 24,12 Gb Free Space | 10,36% Space Free | Partition Type: NTFS
Unable to calculate disk information.
 
Computer Name: FRANKHE-PC | User Name: FrankHE | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
 
[HKEY_USERS\S-1-5-21-2410171022-1210043899-1249919164-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\FlashFXP\FlashFXP.exe" = C:\Program Files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3 -- (IniCom Networks, Inc.)
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\River Past\Video Cleaner Pro\VideoCleaner.exe" = C:\Program Files\River Past\Video Cleaner Pro\VideoCleaner.exe:*:Enabled:River Past Video Cleaner Pro -- (River Past Corporation)
"C:\Program Files\FlashFXP\FlashFXP.exe" = C:\Program Files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3 -- (IniCom Networks, Inc.)
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{06C43FAA-7226-41EF-A05E-9AE0AA849FFE}" = IBM SPSS Statistics 19
"{086D343F-8E78-4AFC-81AC-D6D414AFD8AC}_is1" = Core Temp version 0.99.7
"{08C8666B-C502-4AB3-B4CB-D74AC42D14FE}" = Nero BackItUp 10 Help (CHM)
"{16987E99-C95C-4513-9239-7B44A0A71DB5}" = Nero SoundTrax 10 Help (CHM)
"{183B7569-90FB-4C56-9761-0EEB002CAB83}" = Adobe Camera Raw 4.0
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F7FB68F-52F6-46A3-B42F-38CE46295AE5}" = Nero MediaHub 10
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool
"{20B83B31-09C4-4F0E-9774-EF8A12A0A527}" = Adobe Device Central CS3
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{237CCB62-8454-43E3-B158-3ACD0134852E}" = High-Definition Video Playback 10
"{2436F2A8-4B7E-4B6C-AE4E-604C84AA6A4F}" = Nero Core Components 10
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java(TM) 6 Update 15
"{277C1559-4CF7-44FF-8D07-98AA9C13AABD}" = Nero Multimedia Suite 10
"{2A539CD9-0F75-4875-9A32-E06DD93C4114}" = Adobe Extension Manager CS3
"{2A697B53-0DE3-42DA-B41D-C3F804B1C538}" = iTunes
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{2DC94AFD-A6E2-4AB4-9132-4A3F8E07B386}" = Apple Application Support
"{329411A0-19F3-4740-874F-17400B126F27}" = Nero Vision 10 Help (CHM)
"{33643918-7957-4839-92C7-EA96CB621A98}" = Nero Express 10 Help (CHM)
"{34490F4E-48D0-492E-8249-B48BECF0537C}" = Nero DiscSpeed 10
"{3A12C952-61D5-4C3B-B68B-8CFBE47E22F1}" = Adobe Setup
"{3AC8457C-0385-4BEA-A959-E095F05D6D67}" = Battlefield: Bad Company™ 2
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3E31400D-274E-4647-916C-2CACC3741799}" = EpsonNet Print
"{41C3C974-EC5E-494C-AFE6-E31D92E2E6CB}" = Adobe Version Cue CS3 Client
"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
"{4AA3D64E-9EC3-4B0F-AB91-5885AC55641F}" = Microsoft Games for Windows - LIVE 
"{4DF98D0B-637E-42B4-B9D6-EB7693D2FBF8}" = Adobe ExtendScript Toolkit 2
"{523B2B1B-D8DB-4B41-90FF-C4D799E2758A}" = Nero ControlCenter 10 Help (CHM)
"{52B97218-98CB-4B8B-9283-D213C85E1AA4}" = Windows Live Anmelde-Assistent
"{555868C6-49FB-484F-BB43-8980651A1B00}" = Nero BurnRights 10 Help (CHM)
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{5F548A02-80BC-404D-BAE6-F05F9BF6B449}" = Nero DiscCopyGadget 10 Help (CHM)
"{63AA3EAB-23BB-48B2-9AD0-44F878075604}" = Nero 10 Menu TemplatePack Basic
"{65BB0407-4CC8-4DC7-952E-3EEFDF05602A}" = Nero Update
"{66049135-9659-4AAD-9169-9CCA269EBB3E}" = Nero InfoTool 10 Help (CHM)
"{68AB6930-5BFF-4FF6-923B-516A91984FE6}" = Nero BackItUp 10
"{68CF6DD2-8BA3-4A70-81D8-7CC5F24C9BA2}" = Adobe Bridge CS3
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6DFB899F-17A2-48F0-A533-ED8D6866CF38}" = Nero Control Center 10
"{70550193-1C22-445C-8FA4-564E155DB1A7}" = Nero Express 10
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser und SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{733D84D6-AAFD-4368-A1D0-F2734F6B9082}" = Adobe Help Viewer CS3
"{7552F04B-9892-4362-8833-1E9AF1A8CF4C}" = Oracle VM VirtualBox 3.2.6
"{7A295D8F-484B-4FFB-89AB-C1FD497591FE}" = Nero WaveEditor 10 Help (CHM)
"{7A5D731D-B4B3-490E-B339-75685712BAAB}" = Nero Burning ROM 10
"{7F3A2319-79CF-4701-95FB-034E99281808}" = Adobe Bridge Start Meeting
"{82EF29B1-9B60-4142-A155-0599216DD053}" = LightScribe System Software
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{870815CA-6B60-47B6-88DD-A67F42D2F03E}" = GPL MPEG-1/2 DirectShow Decoder Filter
"{8BC84ECC-EA87-49C0-93C0-2B5DF62745CD}" = Adobe Asset Services CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{8ECEC853-5C3D-4B10-B5C7-FF11FF724807}" = Nero Recode 10
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{92E25238-61A3-4ACD-A407-3C480EEF47A7}" = Nero RescueAgent 10 Help (CHM)
"{92EC1A84-7FFC-42DF-A8F6-79C21C4765A5}" = Nero DiscCopy Gadget 10
"{93D34EE3-99B3-4DB1-8B0A-0A657466F90D}" = Telstra Turbo Connection Manager
"{943CFD7D-5336-47AF-9418-E02473A5A517}" = Nero BurnRights 10
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9527A496-5DF9-412A-ADC7-168BA5379CA6}" = Microsoft Flight Simulator X
"{96E3AED5-3D0B-4BB0-84C2-1EDADB204487}" = FlashFXP v3
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9A4297F3-2A51-4ED9-92CA-4BCB8380947E}" = Nero Vision 10
"{9A4D182C-35C7-4791-8484-4304EBC9101A}" = Windows 7 Upgrade Advisor
"{9B6B24BE-80E7-46C4-9FA5-B167D5E0F345}" = Nero BurningROM 10 Help (CHM)
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A71D5E81-B967-43DB-93D7-FD31BFB95748}" = MobileMe Control Panel
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB67580-257C-45FF-B8F4-C8C30682091A}_is1" = SIW version 2010.07.14
"{AC76BA86-1033-F400-7761-000000000004}" = Adobe Acrobat 9 Pro Extended - English, Français, Deutsch
"{AC76BA86-1033-F400-7761-000000000004}_920" = Adobe Acrobat 9.2.0 - CPSID_50026
"{AC76BA86-1033-F400-7761-000000000004}{AC76BA86-1033-F400-7761-000000000004}" = Adobe Acrobat 9 Pro Extended - English, Français, Deutsch
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{C18A0418-442A-4186-AF98-D08F5054A2FC}" = Nero DiscSpeed 10 Help (CHM)
"{C27BC2A2-30DD-4014-B22E-63EB0DB572F9}" = Logitech Webcam Software
"{C3273C55-E1E4-41FF-8D69-0158090DB8D8}" = Nero CoverDesigner 10 Help (CHM)
"{C3580AC4-C827-4332-B935-9A282ED5BB97}" = Nero Dolby Files 10
"{C3E9887A-23BA-4777-8080-191A5AFCAB74}" = Mumble 1.2.3
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C4D738F7-996A-4C81-B8FA-C4E26D767E41}" = Windows Live Mail
"{C73F2967-062E-48F2-A462-D335B8950183}" = Safari
"{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support
"{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}" = Skype Toolbars
"{D1C59F81-66FD-4E8E-B9F7-F4B2442D5222}" = Adobe Update Manager CS3
"{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}" = Microsoft Primary Interoperability Assemblies 2005
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
"{DB6AB705-C9BD-40E3-8929-2EA57F36A4FF}_is1" = ConvertXtoDVD 4.1.1.334
"{DB7C1D4A-08BA-4C7E-A8AA-B7F9BB372DCF}" = Nero Recode 10 Help (CHM)
"{DEA314C4-0929-4250-BC92-98E4C105F28D}" = NVIDIA PhysX
"{E1EE5339-5D32-458F-BAAB-B19F6301BCE2}" = Nero SoundTrax 10
"{E2354269-C89A-4323-B80F-B0DD65FBA5EB}" = WinExit-Pro
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E337E787-CF61-4B7B-B84F-509202A54023}" = Nero RescueAgent 10
"{E3B99F3D-9856-482A-9048-305E28E2510C}" = Vodafone Mobile Connect Lite
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.1
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{EDCDFAD5-DF80-4600-A493-E9DAD6810230}" = Nero WaveEditor 10
"{F01D5ED5-D53A-4468-B428-149DC2CB3110}" = Adobe Dreamweaver CS3
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F412B4AF-388C-4FF5-9B2F-33DB1C536953}" = Nero InfoTool 10
"{F467862A-D9CA-47ED-8D81-B4B3C9399272}" = Nero MediaHub 10 Help (CHM)
"{F5CB822F-B365-43D1-BCC0-4FDA1A2017A7}" = Nero 10 Movie ThemePack Basic
"{F6117F9C-ADB5-4590-9BE4-12C7BEC28702}" = Nero StartSmart 10 Help (CHM)
"{F61D489E-6C44-49AC-AD02-7DA8ACA73A65}" = Nero StartSmart 10
"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{F8FF18EE-264A-43FD-B2F6-5EAD40798C2F}" = Windows Live Essentials
"{FCF00A6E-FB58-477A-ABE9-232907105521}" = Nero CoverDesigner 10
"{FD052FB9-FE90-4438-B355-15EDC89D8FB1}" = Microsoft Games for Windows - LIVE Redistributable
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"7-Zip" = 7-Zip 4.65
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_435a6af7459cb02a9c1138113a26e93" = Adobe Dreamweaver CS3
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"AVS Update Manager_is1" = AVS Update Manager 1.0
"AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.3
"AVS4YOU Video Converter 6_is1" = AVS Video Converter 6
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2008-01-24
"DivX Setup.divx.com" = DivX-Setup
"DynDNSUpdater" = DynDNS Updater
"EADM" = EA Download Manager
"ENTERPRISE" = Microsoft Office Enterprise 2007
"EPSON BX600FW Series" = Druckerdeinstallation für EPSON BX600FW Series
"EPSON Scanner" = EPSON Scan
"EPSON Stylus Office BX600FW_Office TX600FW_SX600FW Benutzerhandbuch" = EPSON Stylus Office BX600FW_Office TX600FW_SX600FW Handbuch
"EPSON SX600FW Series" = EPSON SX600FW Series Printer Uninstall
"FileZilla Client" = FileZilla Client 3.3.4.1
"Free FLV Converter_is1" = Free FLV Converter V 6.7.7
"ImgBurn" = ImgBurn
"InstallShield_{9527A496-5DF9-412A-ADC7-168BA5379CA6}" = Microsoft Flight Simulator X
"JDownloader" = JDownloader
"Jetcast" = Jetcast 3.2.4
"Logitech Touch Mouse Server" = Logitech Touch Mouse Server 1.0
"lvdrivers_12.10" = Logitech Webcam Software-Treiberpaket
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Mozilla Firefox (3.6.15)" = Mozilla Firefox (3.6.15)
"NeoTrace Express 3.25" = NeoTrace Express 3.25
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"Off-Helper_is1" = Off-Helper 3.02
"PartyPoker" = PartyPoker
"PE Builder_is1" = PE Builder 3.1.10a
"Proxifier_is1" = Proxifier version 2.91
"PunkBusterSvc" = PunkBuster Services
"Rechnung3" = Softwarenetz Rechnung3
"Sandboxie" = Sandboxie 3.46
"StarCraft II" = StarCraft II
"Steam App 10180" = Call of Duty: Modern Warfare 2
"Steam App 10190" = Call of Duty: Modern Warfare 2 - Multiplayer
"Steam App 260" = Counter-Strike: Source Beta
"TeamSpeak 3 Client" = TeamSpeak 3 Client
"TeamViewer 5" = TeamViewer 5
"Trillian" = Trillian
"UltraISO_is1" = UltraISO Premium V9.36
"UseNeXT_is1" = UseNeXT
"Video Cleaner Pro" = River Past Video Cleaner Pro
"VLC media player" = VLC media player 1.0.5
"WBFS Manager 3.0" = WBFS Manager 3.0
"WinAVI Video Converter 10.0_is1" = WinAVI Video Converter
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinPcapInst" = WinPcap 4.1.2
"WinRAR archiver" = WinRAR
"Wireshark" = Wireshark 1.4.1
"WMV9_VCM" = Microsoft Windows Media Video 9 VCM
 
========== HKEY_USERS Uninstall List ==========
 
[HKEY_USERS\S-1-5-21-2410171022-1210043899-1249919164-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"pdfsam" = pdfsam
"WinSetupFromUSB" = WinSetupFromUSB
 
========== Last 10 Event Log Errors ==========
 
Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!
 
< End of report >

--- --- ---

Außerdem habe ich den Inhalt des Ordners C:users\f*****\Appdata\roaming\xoep gelöscht. Avira ist im Ordner Roaming besonder angesprungen und hat ca 8 Infizierte Dateien gemeldet (und entfernt)

Ich hab mir hier die wirklich engagierten Beiträge durchgelesen und wie super hier geholfen wurde und wird, aber es wundert mich ein bisschen, dass diese wirklich tollen Ratschläge gegeben wurden, aber im Endeffekt es immer hieß:
"Format C:" - Warum dann also die Mühen und das viele Erklären? Wenn es doch am Ende auf das formatieren hinaus läuft?

Mir ist klar, dass der Trojaner nicht hunderprozentig entfernt werden kann, aber ich werde mein System nicht neu aufstetzen, ich bitte daher nur um Informationen zum Entfernen des Schädlings, soweit möglich.

Malewarebytes läuft gerade durch und hat bis jetzt 1 infizierten Sektor gefunden. Für eine Auswertung d. Logs und tipps zur weitern Vorgehensweise wäre ich sehr dankbar!

gruß
Frank

cosinus · 24.03.2011, 10:23

Zitat:

Ich habe einen vollen Systemscan mit AntiVir durchführen lassen. Der hat einiges gefunden und gelöscht.

Wo ist das Log dazu? Bitte alles nachreichen. Auch alle Logs von Malwarebytes.

Bash · 25.03.2011, 16:27

Hallo!

Hier die Log des vollen Suchlaufes von AntiVir und Malewarebytes. Habe die Dateien angehangen.
mfg

cosinus · 25.03.2011, 18:07

Zitat:

C:\Users\FrankHE\Desktop\Schwarze_Sonne_RAT_1.0

Was macht das aufm Desktop?

Zitat:

C:\Users\FrankHE\Wichtig\Präventivschlag\Mittel\all_phone_unlockers_package\Ericsson [Serial UnLock].zip
C:\Users\FrankHE\Downloads\Archiv\Driveby_by_Sc_ence\Driveby_by_Sc!ence\Webcam\Sun_Microsystems_Java_Security_Update_6.jar

Was soll das sein?

Bash · 25.03.2011, 18:22

Keine Ahnung, mein kleiner Bruder hatte den PC während meiner Abwesendheit in Beschlag genommen. Wie sehen denn die Logs aus?

cosinus · 25.03.2011, 18:37

Mach einen OTL-Fix, beende alle evtl. geöffneten Programme, auch Virenscanner deaktivieren (!), starte OTL und kopiere folgenden Text in die "Custom Scan/Fixes" Box (unten in OTL): (das ":OTL" muss mitkopiert werden!!!)

Code:

ATTFilter

:OTL
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:264B2CC4
[2011.01.09 22:41:32 | 000,000,000 | ---D | M] -- C:\Users\FrankHE\AppData\Roaming\Yfti
[2010.05.24 19:59:14 | 000,000,000 | -HSD | M] -- C:\Users\FrankHE\AppData\Roaming\lowsec
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{20739e4a-e1c7-11df-a0c2-08002700a0d9}\Shell - "" = AutoRun
O33 - MountPoints2\{20739e4a-e1c7-11df-a0c2-08002700a0d9}\Shell\AutoRun\command - "" = F:\Startup.exe
O33 - MountPoints2\{3f8f54aa-4bd8-11df-b652-89c3375f2fa9}\Shell - "" = AutoRun
O33 - MountPoints2\{3f8f54aa-4bd8-11df-b652-89c3375f2fa9}\Shell\AutoRun\command - "" = G:\Setup.exe -auto
O33 - MountPoints2\{51c547a0-93f2-11df-b494-f32a10b47706}\Shell - "" = AutoRun
O33 - MountPoints2\{51c547a0-93f2-11df-b494-f32a10b47706}\Shell\AutoRun\command - "" = I:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{bb051288-9376-11df-9e84-92b101b3cdc5}\Shell - "" = AutoRun
O33 - MountPoints2\{bb051288-9376-11df-9e84-92b101b3cdc5}\Shell\AutoRun\command - "" = I:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{c04f3b29-9185-11df-a16e-08002700a0d9}\Shell\Option1\Command - "" = H:\HBCD\Wintools\Autorun.exe
O33 - MountPoints2\{ccc4abe5-9633-11df-9639-08002700a0d9}\Shell - "" = AutoRun
O33 - MountPoints2\{ccc4abe5-9633-11df-9639-08002700a0d9}\Shell\AutoRun\command - "" = F:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{d7d14061-9296-11df-b980-08002700a0d9}\Shell - "" = AutoRun
O33 - MountPoints2\{d7d14061-9296-11df-b980-08002700a0d9}\Shell\AutoRun\command - "" = I:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\I\Shell - "" = AutoRun
O33 - MountPoints2\I\Shell\AutoRun\command - "" = I:\setup_vmc_lite.exe /checkApplicationPresence
FF - prefs.js..network.proxy.backup.ftp: "213.203.203.52"
FF - prefs.js..network.proxy.backup.ftp_port: 1338
FF - prefs.js..network.proxy.backup.gopher: "213.203.203.52"
FF - prefs.js..network.proxy.backup.gopher_port: 1338
FF - prefs.js..network.proxy.backup.socks: "213.203.203.52"
FF - prefs.js..network.proxy.backup.socks_port: 1338
FF - prefs.js..network.proxy.backup.ssl: "213.203.203.52"
FF - prefs.js..network.proxy.backup.ssl_port: 1338
FF - prefs.js..network.proxy.ftp: "92.241.190.219"
FF - prefs.js..network.proxy.ftp_port: 4334
FF - prefs.js..network.proxy.gopher: "92.241.190.219"
FF - prefs.js..network.proxy.gopher_port: 4334
FF - prefs.js..network.proxy.http: "92.241.190.219"
FF - prefs.js..network.proxy.http_port: 4334
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "92.241.190.219"
FF - prefs.js..network.proxy.socks_port: 4334
FF - prefs.js..network.proxy.ssl: "92.241.190.219"
FF - prefs.js..network.proxy.ssl_port: 4334
FF - prefs.js..network.proxy.type: 0
:Commands
[purity]
[resethosts]
[emptytemp]

Klick dann oben links auf den Button Fix!
Das Logfile müsste geöffnet werden, wenn Du nach dem Fixen auf ok klickst, poste das bitte. Evtl. wird der Rechner neu gestartet.

Die mit diesem Script gefixten Einträge, Dateien und Ordner werden zur Sicherheit nicht vollständig gelöscht, es wird eine Sicherheitskopie auf der Systempartition im Ordner "_OTL" erstellt.

Bash · 25.03.2011, 18:56

Hallo Arne, hier der Auswurf, wurde nach dem Neustart ausgegeben:
Ist das gröbste damit beseitigt?

All processes killed
========== OTL ==========
ADS C:\ProgramData\TEMP:264B2CC4 deleted successfully.
C:\Users\FrankHE\AppData\Roaming\Yfti folder moved successfully.
C:\Users\FrankHE\AppData\Roaming\lowsec folder moved successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun|DWORD:1 /E : value set successfully!
C:\autoexec.bat moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{20739e4a-e1c7-11df-a0c2-08002700a0d9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20739e4a-e1c7-11df-a0c2-08002700a0d9}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{20739e4a-e1c7-11df-a0c2-08002700a0d9}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20739e4a-e1c7-11df-a0c2-08002700a0d9}\ not found.
File F:\Startup.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3f8f54aa-4bd8-11df-b652-89c3375f2fa9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3f8f54aa-4bd8-11df-b652-89c3375f2fa9}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3f8f54aa-4bd8-11df-b652-89c3375f2fa9}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3f8f54aa-4bd8-11df-b652-89c3375f2fa9}\ not found.
File G:\Setup.exe -auto not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{51c547a0-93f2-11df-b494-f32a10b47706}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{51c547a0-93f2-11df-b494-f32a10b47706}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{51c547a0-93f2-11df-b494-f32a10b47706}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{51c547a0-93f2-11df-b494-f32a10b47706}\ not found.
File I:\setup_vmc_lite.exe /checkApplicationPresence not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bb051288-9376-11df-9e84-92b101b3cdc5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{bb051288-9376-11df-9e84-92b101b3cdc5}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bb051288-9376-11df-9e84-92b101b3cdc5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{bb051288-9376-11df-9e84-92b101b3cdc5}\ not found.
File I:\setup_vmc_lite.exe /checkApplicationPresence not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c04f3b29-9185-11df-a16e-08002700a0d9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c04f3b29-9185-11df-a16e-08002700a0d9}\ not found.
File H:\HBCD\Wintools\Autorun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ccc4abe5-9633-11df-9639-08002700a0d9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ccc4abe5-9633-11df-9639-08002700a0d9}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ccc4abe5-9633-11df-9639-08002700a0d9}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ccc4abe5-9633-11df-9639-08002700a0d9}\ not found.
File F:\setup_vmc_lite.exe /checkApplicationPresence not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7d14061-9296-11df-b980-08002700a0d9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d7d14061-9296-11df-b980-08002700a0d9}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7d14061-9296-11df-b980-08002700a0d9}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d7d14061-9296-11df-b980-08002700a0d9}\ not found.
File I:\setup_vmc_lite.exe /checkApplicationPresence not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I\ not found.
File I:\setup_vmc_lite.exe /checkApplicationPresence not found.
Prefs.js: "213.203.203.52" removed from network.proxy.backup.ftp
Prefs.js: 1338 removed from network.proxy.backup.ftp_port
Prefs.js: "213.203.203.52" removed from network.proxy.backup.gopher
Prefs.js: 1338 removed from network.proxy.backup.gopher_port
Prefs.js: "213.203.203.52" removed from network.proxy.backup.socks
Prefs.js: 1338 removed from network.proxy.backup.socks_port
Prefs.js: "213.203.203.52" removed from network.proxy.backup.ssl
Prefs.js: 1338 removed from network.proxy.backup.ssl_port
Prefs.js: "92.241.190.219" removed from network.proxy.ftp
Prefs.js: 4334 removed from network.proxy.ftp_port
Prefs.js: "92.241.190.219" removed from network.proxy.gopher
Prefs.js: 4334 removed from network.proxy.gopher_port
Prefs.js: "92.241.190.219" removed from network.proxy.http
Prefs.js: 4334 removed from network.proxy.http_port
Prefs.js: true removed from network.proxy.share_proxy_settings
Prefs.js: "92.241.190.219" removed from network.proxy.socks
Prefs.js: 4334 removed from network.proxy.socks_port
Prefs.js: "92.241.190.219" removed from network.proxy.ssl
Prefs.js: 4334 removed from network.proxy.ssl_port
Prefs.js: 0 removed from network.proxy.type
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: FrankHE
->Temp folder emptied: 20060272 bytes
->Temporary Internet Files folder emptied: 3733841120 bytes
->Java cache emptied: 19127205 bytes
->FireFox cache emptied: 105958670 bytes
->Flash cache emptied: 131120 bytes

User: Public

%systemdrive% .tmp files removed: 2140160 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 12093608 bytes
RecycleBin emptied: 239345 bytes

Total Files Cleaned = 3.713,00 mb

OTL by OldTimer - Version 3.2.22.3 log created on 03252011_184705

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\logishrd\LVPrcInj01.dll scheduled to be moved on reboot.

Registry entries deleted on Reboot...

cosinus · 26.03.2011, 17:32

Dann bitte jetzt CF ausführen:

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix

Lade dir ComboFix hier herunter auf deinen Desktop. Benenne es beim Runterladen um in cofi.exe.

Dann folgende Anleitung durchlesen und abarbeiten -> CCleaner Systembereinigung

Schliesse alle Programme, vor allem dein Antivirenprogramm und andere Hintergrundwächter sowie deinen Internetbrowser.

Starte cofi.exe von deinem Desktop aus, bestätige die Warnmeldungen, führe die Updates durch (falls vorgeschlagen), installiere die Wiederherstellungskonsole (falls vorgeschlagen) und lass dein System durchsuchen.
Vermeide es auch während Combofix läuft die Maus und Tastatur zu benutzen.

Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte kopieren ([Strg]a, [Strg]c) und in deinen Beitrag einfügen ([Strg]v). Die Datei findest du außerdem unter: C:\ComboFix.txt.

Wichtiger Hinweis:

Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Der Sparkassen RAT

Plagegeister aller Art und deren Bekämpfung: Der Sparkassen RAT