Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   GVU-Trojaner (Variation von 2.07 da Bild minimal abweicht) (https://www.trojaner-board.de/122998-gvu-trojaner-variation-2-07-bild-minimal-abweicht.html)

Zweckformer 29.08.2012 13:58
GVU-Trojaner (Variation von 2.07 da Bild minimal abweicht)
 
Hallo zusammen,

ich habe mir eben auf meinem tower den gvu trojaner eingefangen und versucht mit der kaspersky rescue disk 10 bzw windows unlocker zu entfernen.
jedeoch finde ich die beiden zu suchenden (hxxp://blog.botfrei.de/2012/03/anlei...ws-xp-vista-7/) schluessel nicht im
K-editor und auch der windowsunlocker-terminal-screen zeigt keine "restore to explorer.exe" meldungen an.

da mir nun klar wurde, dass ich eine andere version des trojaners "besitze" (2.07 nehme ich an), wollte ich hier fragen ob mir bei der loesung dieses problems jemand behilflich sein kann?

gruesse

Nachtrag: Es scheint nicht genau der 2.07 zu sein, das es kleinere Abweichungen zu dem Bild gibt auf hxxp://bka-trojaner.de/

Nachtrag II: Anbei die Otl.txt & extras.txt

markusg 29.08.2012 14:03
hi

dieses script sowie evtl. folgende scripts sind nur für den jeweiligen user.
wenn ihr probleme habt, eröffnet eigene topics und wartet auf, für euch angepasste scripts.


• Starte bitte die OTL.exe
• Kopiere nun das Folgende in die Textbox.



Code:
:OTL
O20 - HKU\S-1-5-21-72721436-1853332672-4045996675-1001 Winlogon: Shell - (D:\Users\DenDe\AppData\Roaming\msconfig.dat) - D:\Users\DenDe\AppData\Roaming\msconfig.dat ()

 :Files
D:\Users\DenDe\AppData\Roaming\msconfig.dat
:Commands
[Reboot]


• Schliesse bitte nun alle Programme.
• Klicke nun bitte auf den Fix Button.
• OTL kann gegebenfalls einen Neustart verlangen. Bitte dies zulassen.
• Nach dem Neustart findest Du ein Textdokument, dessen inhalt in deiner nächsten antwort hier reinkopieren.
starte in den normalen modus.

falls du keine symbole hast, dann rechtsklick, ansicht, desktop symbole einblenden

Hinweis: Die Datei bitte wie in der Anleitung zum UpChannel angegeben auch da hochladen. Bitte NICHT die ZIP-Datei hier als Anhang
in den Thread posten!



Drücke bitte die http://larusso.trojaner-board.de/Images/windows.jpg + E Taste.
  • Öffne dein Systemlaufwerk ( meistens C: )
  • Suche nun
    folgenden Ordner: _OTL und öffne diesen.
  • Mache einen Rechtsklick auf den Ordner Movedfiles --> Senden an --> Zip-Komprimierter Ordner

  • Dies wird eine Movedfiles.zip Datei in _OTL erstellen
  • Lade diese bitte in unseren Uploadchannel
    hoch. ( Durchsuchen --> C:\_OTL\Movedfiles.zip )
Teile mir mit ob der Upload problemlos geklappt hat. Danke im voraus :)

für eine weitere analyse benötige ich mal folgendes.
D:\Users\name\AppData\LocalLow\Sun\Java\Deployment\cache
(bei dir könnte es auf evtl. auf c: sein)
dort rechtsklick auf den ordner cache, diesen mit winrar oder einem anderen programm packen, und im upload channel hochladen bitte
Trojaner-Board Upload Channel
wenn dies erledigt ist, bittemelden.

Zweckformer 29.08.2012 15:38
Hey vielen Dank fuer deine schnelle Hilfe

also,
ich hab den Fix per OTL im abgesicherten Modus mit eingabeaufforderung. (explorer.exe gestartet) ausfuehren koennen. in den anderen modi wurde der bildschirm geleich gesperrt.

nach dem reboot konnte ich den normalem modus und das infizierte profil wieder ohne probleme starten.

jedoch habe ich keine neue Textdatei auf dem Desktop vorfinden koennen.
ich habe nun einfach nochmal einen OTL scan durchlaufen lassen, und hoffe dass du diese dateien meinst.

OTL.txt

OTL Logfile:
Code:
OTL logfile created on: 29.08.2012 16:26:09 - Run 2
OTL by OldTimer - Version 3.2.59.1    Folder = D:\Users\DenDe\Desktop
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
8,00 Gb Total Physical Memory | 6,39 Gb Available Physical Memory | 79,84% Memory free
12,00 Gb Paging File | 10,24 Gb Available in Paging File | 85,36% Paging File free
Paging file location(s): d:\pagefile.sys 4096 4096 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 51,35 Gb Total Space | 29,23 Gb Free Space | 56,92% Space Free | Partition Type: NTFS
Drive D: | 931,51 Gb Total Space | 756,83 Gb Free Space | 81,25% Space Free | Partition Type: NTFS
Drive E: | 97,66 Gb Total Space | 59,92 Gb Free Space | 61,36% Space Free | Partition Type: NTFS
Drive F: | 148,91 Gb Total Space | 57,72 Gb Free Space | 38,76% Space Free | Partition Type: NTFS
Drive G: | 259,27 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
Drive K: | 2,36 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: CDFS
 
Computer Name: ZWECKFORMERPC2 | User Name: Zweckformer | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2012.08.29 14:16:04 | 000,598,528 | ---- | M] (OldTimer Tools) -- D:\Users\DenDe\Desktop\OTL.exe
PRC - [2012.07.27 22:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011.09.22 12:03:30 | 000,974,944 | ---- | M] (ESET) -- E:\Apps\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2012.05.30 20:06:48 | 000,087,912 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2012.05.30 20:06:30 | 001,242,512 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
 
 
========== Services (SafeList) ==========
 
SRV:64bit: - [2012.04.06 04:16:02 | 000,236,544 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2009.07.14 03:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2012.08.22 19:52:44 | 000,529,744 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2012.08.19 20:50:37 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012.07.27 22:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012.07.14 02:13:54 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2011.09.22 12:03:30 | 000,974,944 | ---- | M] (ESET) [Auto | Running] -- E:\Apps\ESET\ESET NOD32 Antivirus\x86\ekrn.exe -- (ekrn)
SRV - [2010.03.18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009.06.10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - [2012.06.29 23:38:01 | 000,283,200 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\dtsoftbus01.sys -- (dtsoftbus01)
DRV:64bit: - [2012.04.25 12:11:36 | 000,052,736 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2012.04.06 07:22:40 | 011,174,400 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2012.04.06 03:10:44 | 000,343,040 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2012.03.01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2012.02.23 14:32:04 | 000,095,760 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService)
DRV:64bit: - [2011.08.09 14:24:52 | 000,202,576 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\eamonm.sys -- (eamonm)
DRV:64bit: - [2011.08.04 09:20:38 | 000,146,432 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\ehdrv.sys -- (ehdrv)
DRV:64bit: - [2011.08.04 09:20:38 | 000,137,144 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\epfwwfpr.sys -- (epfwwfpr)
DRV:64bit: - [2011.03.11 08:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011.03.11 08:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010.11.21 05:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010.11.21 05:23:48 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc)
DRV:64bit: - [2010.11.21 05:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010.11.21 05:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010.06.09 22:41:13 | 000,123,840 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AnyDVD.sys -- (AnyDVD)
DRV:64bit: - [2010.01.01 19:20:28 | 000,034,472 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV:64bit: - [2009.07.14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009.07.14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009.07.14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009.06.10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009.06.10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009.06.10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009.06.10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009.05.18 13:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2010.06.09 22:41:13 | 000,123,840 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysWOW64\drivers\AnyDVD.sys -- (AnyDVD)
DRV - [2010.03.31 00:00:00 | 000,026,752 | ---- | M] () [Kernel | On_Demand | Stopped] -- E:\Apps\EVEREST Ultimate Edition\kerneld.amd64 -- (EverestDriver)
DRV - [2009.07.14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-72721436-1853332672-4045996675-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-72721436-1853332672-4045996675-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE
IE - HKU\S-1-5-21-72721436-1853332672-4045996675-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 62 8E E2 FF 8B 66 CD 01  [binary data]
IE - HKU\S-1-5-21-72721436-1853332672-4045996675-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-72721436-1853332672-4045996675-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-72721436-1853332672-4045996675-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-72721436-1853332672-4045996675-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
========== FireFox ==========
 
FF - user.js - File not found
 
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_271.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.6.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_271.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: E:\Apps\Itunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@idsoftware.com/QuakeLive: C:\ProgramData\id Software\QuakeLive\npquakezero.dll (id Software Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.6.2: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.6.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: E:\Apps\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: E:\Apps\AReaderX\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: D:\Users\DenDe\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: D:\Users\DenDe\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\ubisoft.com/uplaypc: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll (Ubisoft)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: E:\Apps\Mozilla\components [2012.07.20 21:15:56 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: E:\Apps\Mozilla\plugins [2012.08.20 15:46:54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: E:\Apps\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2012.08.23 10:10:03 | 000,000,000 | ---D | M]
 
[2012.07.20 21:16:16 | 000,000,000 | ---D | M] (No name found) -- D:\Users\DenDe\AppData\Roaming\mozilla\Extensions
[2012.08.26 19:31:11 | 000,000,000 | ---D | M] (No name found) -- D:\Users\DenDe\AppData\Roaming\mozilla\Firefox\Profiles\b4uoubp3.default\extensions
[2012.07.20 21:34:28 | 000,000,000 | ---D | M] (Forecastfox) -- D:\Users\DenDe\AppData\Roaming\mozilla\Firefox\Profiles\b4uoubp3.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
 
========== Chrome  ==========
 
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = D:\Users\DenDe\AppData\Local\Google\Chrome\Application\21.0.1180.79\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = D:\Users\DenDe\AppData\Local\Google\Chrome\Application\21.0.1180.79\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = D:\Users\DenDe\AppData\Local\Google\Chrome\Application\21.0.1180.79\gcswf32.dll
CHR - plugin: Adobe Acrobat (Enabled) = E:\Apps\AReaderX\Reader\Browser\nppdf32.dll
CHR - plugin: Java(TM) Platform SE 7 U5 (Enabled) = C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
CHR - plugin: Java Deployment Toolkit 7.0.50.255 (Enabled) = C:\Windows\SysWOW64\npDeployJava1.dll
CHR - plugin: Uplay PC (Enabled) = C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll
CHR - plugin: Google Update (Enabled) = D:\Users\DenDe\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: iTunes Application Detector (Enabled) = E:\Apps\Itunes\Mozilla Plugins\npitunes.dll
CHR - plugin: VLC Web Plugin (Enabled) = E:\Apps\VLC\npvlc.dll
 
O1 HOSTS File: ([2009.06.10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O4:64bit: - HKLM..\Run: [egui] E:\Apps\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [AMD AVT] C:\Windows\SysWow64\cmd.exe (Microsoft Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-72721436-1853332672-4045996675-1001..\Run: [DAEMON Tools Lite] E:\Apps\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 217.0.43.129 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9B73333B-BFD8-4059-B583-C92A5566532E}: DhcpNameServer = 217.0.43.129 192.168.0.1
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - HKU\S-1-5-21-72721436-1853332672-4045996675-1001 Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.12.19 18:34:54 | 002,830,336 | ---- | M] () - H:\autorun.exe -- [ FAT32 ]
O32 - AutoRun File - [2009.12.21 22:48:04 | 000,000,000 | ---D | M] - H:\AutoPlay -- [ FAT32 ]
O32 - AutoRun File - [2009.12.19 18:34:54 | 000,000,046 | ---- | M] () - H:\autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2009.12.14 22:58:24 | 000,003,562 | ---- | M] () - H:\Autounattend.xml -- [ FAT32 ]
O32 - AutoRun File - [2012.08.16 19:43:24 | 000,000,058 | R--- | M] () - K:\Autorun.inf -- [ CDFS ]
O33 - MountPoints2\{8f7eab56-bc40-11e1-9592-0023ae616502}\Shell - "" = AutoRun
O33 - MountPoints2\{8f7eab56-bc40-11e1-9592-0023ae616502}\Shell\AutoRun\command - "" = K:\Setup.exe -- [2012.08.16 19:43:24 | 001,112,066 | R--- | M] (Microsoft Games Studios                                    )
O33 - MountPoints2\K\Shell - "" = AutoRun
O33 - MountPoints2\K\Shell\AutoRun\command - "" = K:\Setup.exe -- [2012.08.16 19:43:24 | 001,112,066 | R--- | M] (Microsoft Games Studios                                    )
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012.08.29 14:42:48 | 000,598,528 | ---- | C] (OldTimer Tools) -- D:\Users\DenDe\Desktop\OTL.exe
[2012.08.29 13:51:01 | 000,000,000 | -HSD | C] -- C:\found.000
[2012.08.23 10:27:20 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2012.08.23 10:27:14 | 000,246,760 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaws.exe
[2012.08.23 10:27:10 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe
[2012.08.23 10:27:10 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe
[2012.08.23 10:27:10 | 000,095,208 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
[2012.08.23 10:27:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Java
[2012.08.23 10:09:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET
[2012.08.23 10:01:31 | 000,000,000 | ---D | C] -- C:\ProgramData\ESET
[2012.08.20 23:27:11 | 000,000,000 | ---D | C] -- D:\Users\DenDe\AppData\Local\Darksiders2
[2012.08.20 21:10:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\THQ
[2012.08.19 23:38:03 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2012.08.19 23:38:02 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2012.08.19 23:38:02 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2012.08.19 23:38:02 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2012.08.19 23:38:01 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2012.08.19 23:38:01 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2012.08.19 23:38:01 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2012.08.19 23:38:01 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2012.08.19 23:38:00 | 002,312,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2012.08.19 23:38:00 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2012.08.19 23:38:00 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2012.08.19 23:37:59 | 000,816,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2012.08.19 23:37:59 | 000,717,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2012.08.19 23:22:36 | 000,000,000 | ---D | C] -- C:\Games
[2012.08.19 23:22:29 | 000,000,000 | ---D | C] -- D:\Users\DenDe\AppData\Local\Package Cache
[2012.08.19 20:54:58 | 000,503,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\srcore.dll
[2012.08.19 20:54:55 | 000,751,104 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\win32spl.dll
[2012.08.19 20:54:55 | 000,492,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\win32spl.dll
[2012.08.19 20:54:55 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\splwow64.exe
[2012.08.19 20:54:54 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\netapi32.dll
[2012.08.19 20:54:54 | 000,059,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\browcli.dll
[2012.08.19 20:54:54 | 000,041,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\browcli.dll
[2012.08.19 20:54:52 | 000,956,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\localspl.dll
[2012.08.13 18:42:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kalypso
[2012.08.13 18:36:58 | 000,000,000 | ---D | C] -- C:\ProgramData\RELOADED
[2012.08.12 15:41:43 | 000,000,000 | ---D | C] -- D:\Users\DenDe\Documents\Wizards of the Coast
[2012.08.11 12:42:23 | 000,000,000 | ---D | C] -- D:\Users\DenDe\AppData\Roaming\RotMG.Production
[2012.08.08 11:20:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavalys
[2012.08.07 21:49:00 | 000,000,000 | ---D | C] -- D:\Users\DenDe\AppData\Local\Adobe
[2012.08.06 20:39:26 | 000,000,000 | ---D | C] -- D:\Users\DenDe\AppData\Roaming\Natural Selection 2
[2012.08.04 23:23:18 | 000,000,000 | ---D | C] -- D:\Users\DenDe\AppData\Roaming\HackSlashLoot
[2012.08.03 20:22:33 | 000,000,000 | ---D | C] -- D:\Users\DenDe\Documents\LOLReplay
[2012.08.02 00:11:49 | 000,000,000 | ---D | C] -- D:\Users\DenDe\Documents\Shiner
 
========== Files - Modified Within 30 Days ==========
 
[2012.08.29 16:24:06 | 000,021,696 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.08.29 16:24:06 | 000,021,696 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.08.29 16:21:10 | 001,498,506 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012.08.29 16:21:10 | 000,653,928 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
[2012.08.29 16:21:10 | 000,615,810 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012.08.29 16:21:10 | 000,129,800 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
[2012.08.29 16:21:10 | 000,106,190 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012.08.29 16:18:44 | 000,001,132 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-72721436-1853332672-4045996675-1001UA.job
[2012.08.29 16:16:32 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.08.29 16:16:25 | 2145,636,351 | -HS- | M] () -- C:\hiberfil.sys
[2012.08.29 14:23:12 | 000,000,045 | ---- | M] () -- D:\Users\DenDe\AppData\Roaming\msconfig.ini
[2012.08.29 14:16:04 | 000,598,528 | ---- | M] (OldTimer Tools) -- D:\Users\DenDe\Desktop\OTL.exe
[2012.08.29 13:50:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012.08.24 02:17:00 | 000,001,080 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-72721436-1853332672-4045996675-1001Core.job
[2012.08.23 10:27:06 | 000,746,984 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\deployJava1.dll
[2012.08.23 10:27:06 | 000,246,760 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\javaws.exe
[2012.08.23 10:27:06 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe
[2012.08.23 10:27:06 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe
[2012.08.23 10:27:06 | 000,095,208 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
[2012.08.21 20:39:27 | 001,034,216 | ---- | M] (Oracle Corporation) -- C:\Windows\SysNative\npDeployJava1.dll
[2012.08.21 20:39:27 | 000,916,456 | ---- | M] (Oracle Corporation) -- C:\Windows\SysNative\deployJava1.dll
[2012.08.20 08:59:41 | 000,274,464 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012.08.19 20:50:37 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2012.08.19 20:50:37 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2012.08.03 20:30:17 | 014,958,983 | ---- | M] () -- D:\Users\DenDe\Desktop\Let's Build Exchange.zip
[2012.08.01 21:25:21 | 000,065,078 | ---- | M] () -- D:\Users\DenDe\Desktop\196209-10150980578639752-1018513593-n.jpg
 
========== Files Created - No Company Name ==========
 
[2012.08.29 11:46:32 | 000,000,045 | ---- | C] () -- D:\Users\DenDe\AppData\Roaming\msconfig.ini
[2012.08.03 20:29:32 | 014,958,983 | ---- | C] () -- D:\Users\DenDe\Desktop\Let's Build Exchange.zip
[2012.08.01 21:25:20 | 000,065,078 | ---- | C] () -- D:\Users\DenDe\Desktop\196209-10150980578639752-1018513593-n.jpg
[2012.07.19 17:45:15 | 000,000,040 | -HS- | C] () -- C:\ProgramData\.zreglib
[2012.06.21 15:10:00 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2012.04.06 03:29:34 | 000,204,952 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat
[2012.04.06 03:29:34 | 000,157,144 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat
[2012.03.09 14:06:14 | 000,024,576 | ---- | C] () -- C:\Windows\SysWow64\kdbsdk32.dll
[2011.09.13 00:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
 
========== LOP Check ==========
 
[2012.08.03 20:31:52 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\.minecraft
[2012.06.26 20:11:07 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\.minecraft - Kopie
[2012.07.17 19:49:09 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\.mono
[2012.06.22 11:24:45 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\Ashampoo
[2012.07.04 18:08:26 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\DAEMON Tools Lite
[2012.07.11 09:37:42 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\digital publishing
[2012.06.21 15:51:24 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\DisplayFusion
[2012.08.04 23:23:18 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\HackSlashLoot
[2012.07.11 17:44:07 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\Hod_Uninstall
[2012.07.11 17:44:10 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\HulkOnDesk
[2012.06.21 18:33:43 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\LolClient
[2012.06.21 23:34:27 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\LolClient2
[2012.08.06 20:39:32 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\Natural Selection 2
[2012.07.02 16:19:45 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\Notepad++
[2012.06.21 21:52:57 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\QIP
[2012.08.11 12:42:23 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\RotMG.Production
[2012.07.12 22:36:58 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\six-updater
[2012.07.12 20:52:26 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\six-zsync
[2012.07.07 13:27:59 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\Ubisoft
[2012.07.17 19:32:03 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\Unity
[2012.07.28 13:35:39 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\Wargaming.net
[2012.07.04 15:55:33 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\WindSolutions
[2012.07.30 17:19:49 | 000,000,000 | ---D | M] -- D:\Users\DenDe\AppData\Roaming\WorldPainter
[2009.07.14 07:08:49 | 000,017,890 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 

< End of report >
--- --- ---






extras.txt

OTL Logfile:
Code:
OTL Extras logfile created on: 29.08.2012 16:26:09 - Run 2
OTL by OldTimer - Version 3.2.59.1    Folder = D:\Users\DenDe\Desktop
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
8,00 Gb Total Physical Memory | 6,39 Gb Available Physical Memory | 79,84% Memory free
12,00 Gb Paging File | 10,24 Gb Available in Paging File | 85,36% Paging File free
Paging file location(s): d:\pagefile.sys 4096 4096 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 51,35 Gb Total Space | 29,23 Gb Free Space | 56,92% Space Free | Partition Type: NTFS
Drive D: | 931,51 Gb Total Space | 756,83 Gb Free Space | 81,25% Space Free | Partition Type: NTFS
Drive E: | 97,66 Gb Total Space | 59,92 Gb Free Space | 61,36% Space Free | Partition Type: NTFS
Drive F: | 148,91 Gb Total Space | 57,72 Gb Free Space | 38,76% Space Free | Partition Type: NTFS
Drive G: | 259,27 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
Drive K: | 2,36 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: CDFS
 
Computer Name: ZWECKFORMERPC2 | User Name: Zweckformer | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
 
[HKEY_USERS\S-1-5-21-72721436-1853332672-4045996675-1001\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- E:\Apps\Mozilla\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "E:\Apps\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [Browse with &IrfanView] -- "E:\Apps\IrfanView\i_view32.exe" "%1 /thumbs" (Irfan Skiljan)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "E:\Apps\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "E:\Apps\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "E:\Apps\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "E:\Apps\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "E:\Apps\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [Browse with &IrfanView] -- "E:\Apps\IrfanView\i_view32.exe" "%1 /thumbs" (Irfan Skiljan)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "E:\Apps\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "E:\Apps\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "E:\Apps\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "E:\Apps\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01  [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0E7380A1-585A-4756-B2DC-151F81FBF26A}" = protocol=17 | dir=in | app=e:\games\steam\steam.exe |
"{1AC0BE05-8095-406D-8C8A-59AF8B59779C}" = protocol=17 | dir=in | app=e:\games\steam\steamapps\common\dota 2 beta\dota.exe |
"{1CD440AC-1607-41CB-8499-414AE44468C1}" = protocol=6 | dir=in | app=d:\games\steam\steamapps\common\natural selection 2\launchpad.exe |
"{1F6B604C-FDF4-46E2-A9ED-BE85D95B3672}" = protocol=6 | dir=in | app=f:\games\anno2070\autopatcher.exe |
"{294A71A2-1F42-4044-BF26-FE6D215D843C}" = protocol=6 | dir=in | app=e:\games\steam\steamapps\common\cubemen\cubemen.exe |
"{2C6B8612-0DEF-4D47-ADE1-0E293810ACF6}" = protocol=6 | dir=in | app=d:\games\steam\steamapps\common\serious sam 3\bin\sam3_unrestricted.exe |
"{2CC8A2E0-5F0D-4E86-BC3D-FDC264129EAE}" = protocol=6 | dir=in | app=e:\games\steam\steam.exe |
"{323C0BB4-4793-48EB-91C9-287DB6D5A60C}" = protocol=6 | dir=in | app=e:\games\steam\steamapps\common\arma 2 operation arrowhead\arma2oa.exe |
"{3A9D4E4F-4FA7-451C-BA3D-BE697F5FA072}" = protocol=17 | dir=in | app=e:\games\steam\steamapps\common\natural selection 2\launchpad.exe |
"{3AF1A23E-DEC2-4126-9BB1-201CA4BE021F}" = protocol=6 | dir=in | app=f:\games\anno2070\initengine.exe |
"{4377E818-ECCB-402F-8B6B-636FD79DC271}" = protocol=17 | dir=in | app=f:\games\anno2070\initengine.exe |
"{4856FDBA-5CAE-422A-80EF-E7C134D948E8}" = protocol=17 | dir=in | app=e:\games\steam\steamapps\common\arma 2 operation arrowhead\besetup\setup_battleyearma2oa.exe |
"{498516AC-C52B-4270-BF33-4E7FF21FB178}" = protocol=17 | dir=in | app=e:\games\steam\steamapps\common\cubemen\cubemen.exe |
"{4B11BB18-449F-4C96-A2AB-F99FFEADD232}" = protocol=6 | dir=in | app=d:\games\steam\steamapps\common\arma 2 operation arrowhead\arma2oa.exe |
"{54AF3664-091A-4912-A486-5E71BBC31F84}" = dir=in | app=e:\apps\itunes\itunes.exe |
"{5594A3D6-1400-44D8-A4FA-6A29EE18AB9E}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{5C0C98FB-C5B8-4642-8575-308754D9C835}" = dir=in | app=c:\program files (x86)\common files\apple\apple application support\webkit2webprocess.exe |
"{621050FF-3A02-4913-86BC-55E04E052FBF}" = protocol=17 | dir=in | app=e:\games\steam\steamapps\common\hackslashloot\hackslashloot.exe |
"{636B5AE4-25C2-4AAB-862B-7F8F3C5F406C}" = protocol=6 | dir=in | app=e:\games\steam\steamapps\common\natural selection 2\ns2.exe |
"{6501D285-1500-4A94-8BB3-8C6F08671C3F}" = protocol=17 | dir=in | app=e:\games\steam\steamapps\common\arma 2 operation arrowhead\arma2oa.exe |
"{68859ECA-9960-432D-86DB-9FBD61339078}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{6D10FBD4-C539-4595-80B3-C6A9C0470EBE}" = protocol=17 | dir=in | app=d:\games\steam\steamapps\common\arma 2 operation arrowhead\arma2oa.exe |
"{6E490EE5-7597-4BEE-AF9B-2CAB541F666A}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\ubisoft game launcher\ubisoftgamelauncher.exe |
"{6E71E6D0-F1EB-40EF-99DD-14213F022583}" = protocol=17 | dir=in | app=e:\games\steam\steamapps\common\arma 2\arma2.exe |
"{6E943433-168B-4D11-82E7-E23401360D13}" = protocol=17 | dir=in | app=f:\games\anno2070\autopatcher.exe |
"{6EA9CC33-9D1A-4F25-BEFE-86971796D7AA}" = protocol=6 | dir=in | app=e:\games\steam\steamapps\common\arma 2 operation arrowhead\_runa2co.cmd |
"{6F634D46-1BF3-441A-B150-4B07E5ADC806}" = protocol=17 | dir=in | app=f:\games\anno2070\anno5.exe |
"{713B1214-ED28-4268-ABB0-1FD5A6F9B22A}" = protocol=6 | dir=in | app=d:\games\steam\steamapps\common\arma 2 operation arrowhead\besetup\setup_battleyearma2oa.exe |
"{77F81067-28C9-4A32-ABEE-84894457C057}" = protocol=6 | dir=in | app=d:\games\steam\steamapps\common\serious sam 3\bin\sam3.exe |
"{7C003B40-082C-4C0D-8A8A-94049A0746FE}" = protocol=6 | dir=in | app=d:\games\steam\steamapps\common\dota 2 beta\dota.exe |
"{7CAE8907-DFC0-41F7-81D7-3E2D326A3351}" = protocol=17 | dir=in | app=d:\games\steam\steamapps\common\magic 2013\dotp_d13.exe |
"{7FE6E4F1-E78A-4EDC-8CB9-A99660D46BBB}" = protocol=6 | dir=in | app=e:\games\steam\steamapps\common\arma 2 operation arrowhead\besetup\setup_battleyearma2oa.exe |
"{834192EE-1AF6-4B3A-9AB8-A956AA48F6E7}" = protocol=17 | dir=in | app=c:\programdata\battle.net\agent\agent.1040\agent.exe |
"{868A5D1F-41F7-4EF5-A8F3-C2EDE533F732}" = protocol=17 | dir=in | app=e:\games\steam\steamapps\common\natural selection 2\ns2.exe |
"{89AD8920-7BC5-4BD5-B118-E80B64551CCD}" = protocol=17 | dir=in | app=d:\games\steam\steamapps\common\dota 2 beta\dota.exe |
"{90FBC3A7-966C-43AA-A9FF-7B561249300D}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{94A3596B-7453-4219-8C22-DC4C6761D85E}" = protocol=6 | dir=in | app=e:\games\steam\steamapps\common\dota 2 beta\dota.exe |
"{9909AE0D-3EAA-466F-8788-187F2B194129}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\ubisoft game launcher\ubisoftgamelauncher.exe |
"{9B07219D-DB6A-4C96-8108-60F7E6D27DA0}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{A01D09A9-49CC-4FE8-BC01-A8D3008F79D0}" = protocol=17 | dir=in | app=d:\games\steam\steamapps\common\serious sam 3\bin\sam3_unrestricted.exe |
"{A0DB6835-2269-4D29-86E7-E794A5D2CEF4}" = protocol=6 | dir=in | app=f:\games\anno2070\anno5.exe |
"{A7C1385C-36B4-4390-9A26-E526B8E0DB83}" = protocol=6 | dir=in | app=e:\games\steam\steamapps\common\natural selection 2\launchpad.exe |
"{A887E353-2EC9-46F4-8FF7-D4C1087CA748}" = protocol=6 | dir=in | app=d:\games\steam\steamapps\common\realm of the mad god\realm of the mad god.exe |
"{AC80B0E5-B942-46E0-98B2-DA5043F34DBD}" = protocol=6 | dir=in | app=d:\games\steam\steamapps\common\natural selection 2\ns2.exe |
"{AF3EDFA8-F812-428F-BB8D-4E69ECCF52F7}" = protocol=6 | dir=in | app=d:\games\steam\steamapps\common\cubemen\cubemen.exe |
"{BD6A378D-5518-40DD-BA19-35D77569F422}" = protocol=17 | dir=in | app=d:\games\steam\steamapps\common\serious sam 3\bin\sam3.exe |
"{C476A7C5-95CA-4724-8A82-8ACC0948051F}" = protocol=17 | dir=in | app=d:\games\steam\steamapps\common\arma 2 operation arrowhead\besetup\setup_battleyearma2oa.exe |
"{C502B590-A127-4540-BAC6-ED9E7581E27A}" = protocol=17 | dir=in | app=d:\games\steam\steamapps\common\arma 2 operation arrowhead\_runa2co.cmd |
"{CCC35817-5A77-41DD-856E-90D13D92FF2F}" = protocol=17 | dir=in | app=d:\games\steam\steamapps\common\realm of the mad god\realm of the mad god.exe |
"{D890B451-5716-4C64-8906-D15020CC1A4F}" = protocol=6 | dir=in | app=d:\games\steam\steamapps\common\arma 2 operation arrowhead\_runa2co.cmd |
"{DC2042D2-53FF-4EF6-AAF4-3317D981FEA9}" = protocol=6 | dir=in | app=e:\games\steam\steamapps\common\hackslashloot\hackslashloot.exe |
"{E035207A-712A-4BAA-BA61-0D34BBB1199B}" = protocol=6 | dir=in | app=d:\games\steam\steamapps\common\magic 2013\dotp_d13.exe |
"{E32677BC-EE1F-4C33-ADB6-ACD05A8587BB}" = protocol=6 | dir=in | app=c:\programdata\battle.net\agent\agent.1040\agent.exe |
"{E9810919-82FE-4DEA-86FC-D2FC22968D29}" = protocol=17 | dir=in | app=d:\games\steam\steamapps\common\natural selection 2\ns2.exe |
"{EC473C10-976D-4C4F-9F0D-03A19B9EBB51}" = protocol=17 | dir=in | app=e:\games\steam\steamapps\common\arma 2 operation arrowhead\_runa2co.cmd |
"{F24069D9-DC94-4E8B-837D-E79B9A76115A}" = protocol=6 | dir=in | app=e:\games\steam\steamapps\common\arma 2\arma2.exe |
"{F51D7611-FFE0-478D-A43F-60C6A0BE248C}" = protocol=17 | dir=in | app=d:\games\steam\steamapps\common\cubemen\cubemen.exe |
"{FD3F0985-04D0-477F-A41F-0EEAAF10ADF6}" = protocol=17 | dir=in | app=d:\games\steam\steamapps\common\natural selection 2\launchpad.exe |
"TCP Query User{1561DC82-A86E-49AC-AA62-4101F72A947C}C:\program files (x86)\java\jre7\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files (x86)\java\jre7\bin\javaw.exe |
"TCP Query User{15CF477D-216A-4B47-BA95-1FD6C457CDEC}E:\games\dead space 2\deadspace2.exe" = protocol=6 | dir=in | app=e:\games\dead space 2\deadspace2.exe |
"TCP Query User{2B18C8C9-4A32-49D2-9C54-7035CDF5B49F}C:\windows\system32\java.exe" = protocol=6 | dir=in | app=c:\windows\system32\java.exe |
"TCP Query User{2DE05F73-C784-42CE-9D9E-D775AE80B9CB}E:\apps\winamp\winamp.exe" = protocol=6 | dir=in | app=e:\apps\winamp\winamp.exe |
"TCP Query User{402EF7EC-EA40-41CC-B303-44210C3C6C10}E:\apps\qip infium\infium.exe" = protocol=6 | dir=in | app=e:\apps\qip infium\infium.exe |
"TCP Query User{4D2256F4-4CE2-4717-8620-F5E761E5C9A6}E:\apps\qip infium\infium.exe" = protocol=6 | dir=in | app=e:\apps\qip infium\infium.exe |
"TCP Query User{586118B8-AA3B-4B55-AB50-31FCE6EF04B3}E:\apps\icechat7\icechat7.exe" = protocol=6 | dir=in | app=e:\apps\icechat7\icechat7.exe |
"TCP Query User{5DCE2DA5-1926-4D5E-8E77-30D8897806F2}D:\games\orcs must die 2\build\release\orcsmustdie2.exe" = protocol=6 | dir=in | app=d:\games\orcs must die 2\build\release\orcsmustdie2.exe |
"TCP Query User{766026A6-BD7D-4CB1-ACA8-27C699075CCD}D:\games\steam\steam.exe" = protocol=6 | dir=in | app=d:\games\steam\steam.exe |
"TCP Query User{804BD42E-02B7-4002-8D63-C4B2E5FA0F89}F:\games\diablo iii\diablo iii.exe" = protocol=6 | dir=in | app=f:\games\diablo iii\diablo iii.exe |
"TCP Query User{93812D0D-CD63-4A33-803F-4F97875016A6}E:\games\suxupdater\tools\bin\rsync.exe" = protocol=6 | dir=in | app=e:\games\suxupdater\tools\bin\rsync.exe |
"TCP Query User{AA61333E-0E51-4A15-9C7A-D60F2323E723}E:\games\men of war condemned heroes\condemned heroes.exe" = protocol=6 | dir=in | app=e:\games\men of war condemned heroes\condemned heroes.exe |
"TCP Query User{B4AF929B-5018-42AE-A715-DEDACD9969F2}D:\games\thewhitcher2\bin\witcher2.exe" = protocol=6 | dir=in | app=d:\games\thewhitcher2\bin\witcher2.exe |
"TCP Query User{B6DDC33C-3FEE-42D4-ADEE-CF2AA69BDAAF}C:\programdata\battle.net\agent\agent.524\agent.exe" = protocol=6 | dir=in | app=c:\programdata\battle.net\agent\agent.524\agent.exe |
"TCP Query User{C1162F77-EEBB-49A4-9D25-3BEA8E512008}E:\apps\winamp\winamp.exe" = protocol=6 | dir=in | app=e:\apps\winamp\winamp.exe |
"TCP Query User{C9E239A3-A801-4B8D-B9C6-800E79F31729}E:\games\steam\steamapps\common\arma 2 operation arrowhead\expansion\beta\arma2oa.exe" = protocol=6 | dir=in | app=e:\games\steam\steamapps\common\arma 2 operation arrowhead\expansion\beta\arma2oa.exe |
"TCP Query User{D1E4D631-38BF-4F33-9CB3-023016B907ED}E:\apps\jre7\bin\javaw.exe" = protocol=6 | dir=in | app=e:\apps\jre7\bin\javaw.exe |
"TCP Query User{D5569441-BD63-41C7-BC7C-723C8AD400B9}F:\games\world_of_tanks\worldoftanks.exe" = protocol=6 | dir=in | app=f:\games\world_of_tanks\worldoftanks.exe |
"TCP Query User{EBF93C2A-D464-4BE8-8E7E-9895470BEDFF}E:\apps\java\bin\javaw.exe" = protocol=6 | dir=in | app=e:\apps\java\bin\javaw.exe |
"TCP Query User{FA409024-B3B7-45EA-B516-B08D2628266A}F:\games\world_of_tanks\wotlauncher.exe" = protocol=6 | dir=in | app=f:\games\world_of_tanks\wotlauncher.exe |
"UDP Query User{07BC9535-CEAE-47E6-9537-2A734AAA3368}E:\apps\jre7\bin\javaw.exe" = protocol=17 | dir=in | app=e:\apps\jre7\bin\javaw.exe |
"UDP Query User{2332C4A5-AB31-483E-9F24-3CBA33F0B41E}E:\apps\icechat7\icechat7.exe" = protocol=17 | dir=in | app=e:\apps\icechat7\icechat7.exe |
"UDP Query User{24033BF6-AA78-48DC-A155-50EDF44EE458}E:\games\steam\steamapps\common\arma 2 operation arrowhead\expansion\beta\arma2oa.exe" = protocol=17 | dir=in | app=e:\games\steam\steamapps\common\arma 2 operation arrowhead\expansion\beta\arma2oa.exe |
"UDP Query User{4144B225-F1EE-4AE7-B37F-062DF6654D94}D:\games\orcs must die 2\build\release\orcsmustdie2.exe" = protocol=17 | dir=in | app=d:\games\orcs must die 2\build\release\orcsmustdie2.exe |
"UDP Query User{499DDED2-E33F-462D-8F1C-29F375180099}D:\games\thewhitcher2\bin\witcher2.exe" = protocol=17 | dir=in | app=d:\games\thewhitcher2\bin\witcher2.exe |
"UDP Query User{5B8EE835-29A2-4756-8859-568A8264F9B1}E:\games\dead space 2\deadspace2.exe" = protocol=17 | dir=in | app=e:\games\dead space 2\deadspace2.exe |
"UDP Query User{68264CDE-9840-4A90-BEE9-CAE02A212084}F:\games\diablo iii\diablo iii.exe" = protocol=17 | dir=in | app=f:\games\diablo iii\diablo iii.exe |
"UDP Query User{6A8F8562-955F-4CA6-B531-324AE432D103}E:\apps\java\bin\javaw.exe" = protocol=17 | dir=in | app=e:\apps\java\bin\javaw.exe |
"UDP Query User{6E4A8DAD-87BB-415D-ABA0-B317D6EF2EE5}C:\windows\system32\java.exe" = protocol=17 | dir=in | app=c:\windows\system32\java.exe |
"UDP Query User{7075A9E5-37D2-42C7-A15E-622E4B66AF41}E:\apps\winamp\winamp.exe" = protocol=17 | dir=in | app=e:\apps\winamp\winamp.exe |
"UDP Query User{7154214E-0C12-4CBB-8985-36026B3E0947}F:\games\world_of_tanks\worldoftanks.exe" = protocol=17 | dir=in | app=f:\games\world_of_tanks\worldoftanks.exe |
"UDP Query User{829F47AB-3F39-4CC0-9332-1087191DED06}E:\apps\qip infium\infium.exe" = protocol=17 | dir=in | app=e:\apps\qip infium\infium.exe |
"UDP Query User{9AD973E9-ACDE-4E19-966C-0C6D017B750A}E:\games\men of war condemned heroes\condemned heroes.exe" = protocol=17 | dir=in | app=e:\games\men of war condemned heroes\condemned heroes.exe |
"UDP Query User{C3AFA5DE-3E38-4217-9164-18F868F76DF5}C:\programdata\battle.net\agent\agent.524\agent.exe" = protocol=17 | dir=in | app=c:\programdata\battle.net\agent\agent.524\agent.exe |
"UDP Query User{CB6073AE-8BC0-4D2A-B3EB-E679B6DDFE72}C:\program files (x86)\java\jre7\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files (x86)\java\jre7\bin\javaw.exe |
"UDP Query User{D1D5A192-FE4D-4D46-8D6E-DF0C40C4AE63}E:\games\suxupdater\tools\bin\rsync.exe" = protocol=17 | dir=in | app=e:\games\suxupdater\tools\bin\rsync.exe |
"UDP Query User{D5F313AA-7F98-452D-9623-BEC9606A086A}F:\games\world_of_tanks\wotlauncher.exe" = protocol=17 | dir=in | app=f:\games\world_of_tanks\wotlauncher.exe |
"UDP Query User{DD9239F2-662F-4124-95F7-2BA0C9CEE810}E:\apps\winamp\winamp.exe" = protocol=17 | dir=in | app=e:\apps\winamp\winamp.exe |
"UDP Query User{EAA33EEC-8849-4E75-9650-E69FABFF946B}E:\apps\qip infium\infium.exe" = protocol=17 | dir=in | app=e:\apps\qip infium\infium.exe |
"UDP Query User{FEEA004B-03F6-4F7F-8AA4-346B6AC3709E}D:\games\steam\steam.exe" = protocol=17 | dir=in | app=d:\games\steam\steam.exe |
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0E3DAF3D-FF69-345A-A99E-1FED304CA083}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{119B2F5A-2A06-DB96-FF28-992EC2A10BDF}" = AMD Accelerated Video Transcoding
"{2E8D6204-D656-8355-1ED3-2988AC52EB0F}" = ccc-utility64
"{3ABFAF33-D6EE-9348-CE96-AF51E9D6D2FF}" = AMD Drag and Drop Transcoding
"{503F672D-6C84-448A-8F8F-4BC35AC83441}" = AMD APP SDK Runtime
"{529125EF-E3AC-4B74-97E6-F688A7C0F1C0}" = Paint.NET v3.5.10
"{5831C6D6-309D-DBB5-14F7-FEE57086CEE7}" = AMD Catalyst Install Manager
"{61A177CE-86A3-433F-BFE2-41AB9123A268}" = ESET NOD32 Antivirus
"{63CE6C32-1EB3-4C51-89FC-9FD96A661A9C}" = AMD Media Foundation Decoders
"{6A76BEAF-6D1F-4273-A79B-DA8410A2E56B}" = Apple Mobile Device Support
"{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour
"{840A3BAA-4C68-4581-9C7A-6F8D6CF531B9}" = iTunes
"{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"4144-4862-0472-7103" = WorldPainter 0.9.2
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"WinRAR archiver" = WinRAR 4.20 (64-Bit)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{03D4C700-2BFE-43E0-A0B4-9512B43C5B9F}" = Catalyst Control Center - Branding
"{122ADF8C-DDA1-480C-9936-C88F2825B265}" = Apple Application Support
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
"{19D614EB-D62A-AEE7-2391-E74126601D59}" = CCC Help Italian
"{1C373820-B9C8-0F7F-8F84-FC1B76A85F27}" = CCC Help Portuguese
"{26A24AE4-039D-4CA4-87B4-2F83217006FF}" = Java 7 Update 6
"{2D35BC33-7D08-D529-DF91-8A15FBF2600E}" = CCC Help Polish
"{2D8CED57-CCDB-4D86-9087-3BBCAE8F8F22}" = Six Updater
"{337788D1-43D1-9A0F-9787-DD00DB512D41}" = Catalyst Control Center Localization All
"{4725833D-4325-5C34-57D4-1FE23E5AE578}" = CCC Help Chinese Standard
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B271648-43CB-DD31-FF24-E7B06D3EE72A}" = Catalyst Control Center InstallProxy
"{4DC37F33-7AEC-A4CB-56B1-69A402828763}" = CCC Help Japanese
"{5710DAC2-8F2A-503C-CFC2-A973ADE0EA4C}" = CCC Help Czech
"{5C763682-4C40-86DA-9C46-31924D7D2C34}" = CCC Help Thai
"{60E5022D-FA4B-C6A2-1E80-B46EC39096F3}" = CCC Help Chinese Traditional
"{60F34FDF-267C-408F-290E-EC90D841C8CB}" = CCC Help German
"{66B79AE1-C6E2-B958-689C-D0812DE86BAB}" = CCC Help Greek
"{6B39BE0F-0F5E-A8FA-33E4-8481AE39D96C}" = CCC Help Russian
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{888F1505-C2B3-4FDE-835D-36353EBD4754}" = Ubisoft Game Launcher
"{8E19F2AF-7145-51DE-E395-7729A9374973}" = Catalyst Control Center Graphics Previews Common
"{91CB5B8B-4EC8-DBA1-A88D-99FD480567B0}" = CCC Help English
"{924FBAC4-60D2-7981-3C3E-979DF9CBB346}" = CCC Help Finnish
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9DC939DC-B7A4-D0E2-C582-A442DF1B3EBE}" = CCC Help Spanish
"{A1BD938B-F006-6E6D-70B2-47E1DD56F7DE}" = CCC Help Swedish
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.4) - Deutsch
"{B48E264C-C8CD-4617-B0BE-46E977BAD694}" = ANNO 2070
"{BABF7852-C2DD-6A8A-9956-101720C715C7}" = CCC Help Turkish
"{BB7C2A56-9706-43B8-5A8C-210AF5816106}" = CCC Help French
"{CA328CDF-A284-445E-AAE7-B24A11E97201}" = MechWarrior Online
"{CFC2CB60-5654-05A7-4D30-C661800A3A92}" = CCC Help Korean
"{D04CE005-D1D2-80F3-84C8-B3524FCD39C3}" = CCC Help Norwegian
"{D544AE4C-4152-225B-A897-6756C8986B14}" = Catalyst Control Center
"{D81E9069-3CCC-4405-3751-71E4AFEACC52}" = CCC Help Hungarian
"{E93FF166-DF14-2537-8FB4-96BB5810A96C}" = CCC Help Danish
"{F0A209B7-7F85-4BDD-8F1F-B98EEAD9E04B}" = The Witcher 2
"{FA66CFD7-0977-4C45-AACD-A8BB994B1A05}" = Quake Live Mozilla Plugin
"{FA9827E1-8A8E-C176-4923-0840A67ED4DE}" = CCC Help Dutch
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"AnyDVD" = AnyDVD
"BattlEye for A2" = BattlEye Uninstall
"BattlEye for OA" = BattlEye for OA Uninstall
"DAEMON Tools Lite" = DAEMON Tools Lite
"Darksiders II_is1" = Darksiders II
"Endless Space_is1" = Endless Space
"EVEREST Ultimate Edition_is1" = EVEREST Ultimate Edition v5.50
"IceChat_is1" = IceChat 7.70 (Build 20101031)
"IrfanView" = IrfanView (remove only)
"Legends of Pegasus_is1" = Legends of Pegasus
"MiNODLogin" = ESET Antivirus License Finder (MiNODLogin)
"MozBackup" = MozBackup 1.5.1
"Mozilla Firefox 14.0.1 (x86 de)" = Mozilla Firefox 14.0.1 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Notepad++" = Notepad++
"Orcs Must Die 2_is1" = Orcs Must Die 2
"Sid Meier's Civilization V - Gods and Kings_is1" = Sid Meier's Civilization V - Gods and Kings
"Sins of a Solar Empire Rebellion (c) Stardock_is1" = Sins of a Solar Empire Rebellion (c) Stardock version 1
"Steam App 200210" = Realm of the Mad God
"Steam App 207250" = Cubemen
"Steam App 207430" = Hack, Slash, Loot
"Steam App 220" = Half-Life 2
"Steam App 33910" = ARMA 2
"Steam App 33930" = ARMA 2: Operation Arrowhead
"Steam App 340" = Half-Life 2: Lost Coast
"Steam App 380" = Half-Life 2: Episode One
"Steam App 420" = Half-Life 2: Episode Two
"Steam App 440" = Team Fortress 2
"Steam App 570" = Dota 2
"Steam App 97330" = Magic: The Gathering - Duels of the Planeswalkers 2013
"VLC media player" = VLC media player 2.0.1
"Winamp" = Winamp
 
========== HKEY_USERS Uninstall List ==========
 
[HKEY_USERS\S-1-5-21-72721436-1853332672-4045996675-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{4f004f4a-1930-4b55-83e6-61660211787f}" = MechWarrior Online
"CopyTrans Suite" = Nur Entfernen der CopyTrans Suite möglich
"Google Chrome" = Google Chrome
"QIP Infium" = QIP Infium 3.0.9044
"Winamp Detect" = Winamp Erkennungs-Plug-in
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 28.08.2012 10:51:22 | Computer Name = ZweckformerPC2 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 7067
 
Error - 28.08.2012 10:51:23 | Computer Name = ZweckformerPC2 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
 
Error - 28.08.2012 10:51:23 | Computer Name = ZweckformerPC2 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 8066
 
Error - 28.08.2012 10:51:23 | Computer Name = ZweckformerPC2 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 8066
 
Error - 29.08.2012 03:17:31 | Computer Name = ZweckformerPC2 | Source = WinMgmt | ID = 10
Description =
 
Error - 29.08.2012 05:50:16 | Computer Name = ZweckformerPC2 | Source = WinMgmt | ID = 10
Description =
 
Error - 29.08.2012 06:04:38 | Computer Name = ZweckformerPC2 | Source = WinMgmt | ID = 10
Description =
 
Error - 29.08.2012 06:13:15 | Computer Name = ZweckformerPC2 | Source = WinMgmt | ID = 10
Description =
 
Error - 29.08.2012 06:16:15 | Computer Name = ZweckformerPC2 | Source = Microsoft-Windows-CAPI2 | ID = 512
Description = Vom Kryptografiedienst konnte das VSS-Sicherungsobjekt "System Writer"
 nicht initialisiert werden.  Details: Could not query the status of the EventSystem
 service.  System Error: Der Computer wird heruntergefahren.  .
 
Error - 29.08.2012 06:19:24 | Computer Name = ZweckformerPC2 | Source = WinMgmt | ID = 10
Description =
 
[ System Events ]
Error - 29.08.2012 08:35:20 | Computer Name = ZweckformerPC2 | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
 Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:  %%1068
 
Error - 29.08.2012 08:35:20 | Computer Name = ZweckformerPC2 | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
 Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:  %%1068
 
Error - 29.08.2012 08:35:20 | Computer Name = ZweckformerPC2 | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
 Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:  %%1068
 
Error - 29.08.2012 08:35:20 | Computer Name = ZweckformerPC2 | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
 Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:  %%1068
 
Error - 29.08.2012 08:35:20 | Computer Name = ZweckformerPC2 | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
 Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:  %%1068
 
Error - 29.08.2012 08:35:24 | Computer Name = ZweckformerPC2 | Source = DCOM | ID = 10005
Description =
 
Error - 29.08.2012 08:35:24 | Computer Name = ZweckformerPC2 | Source = DCOM | ID = 10005
Description =
 
Error - 29.08.2012 08:35:24 | Computer Name = ZweckformerPC2 | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
 Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:  %%1068
 
Error - 29.08.2012 09:02:30 | Computer Name = ZweckformerPC2 | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
 Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:  %%1068
 
Error - 29.08.2012 10:15:06 | Computer Name = ZweckformerPC2 | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location
 Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:  %%1068
 
 
< End of report >
--- --- ---



Die Dateien aus dem _OTL Ordner der auf D: lag sowie der "cache" Ordner aus dem Java-pfad habe ich über den Uploadchannel hochgeladen.

vielen dank fuer die Hilfe!!!

mfg

markusg 29.08.2012 16:07
sehr gut
Combofix darf ausschließlich ausgeführt werden, wenn dies von einem Team Mitglied angewiesen wurde!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich
ziehen und eine Bereinigung der Infektion noch erschweren.
Downloade dir bitte Combofix von einem dieser Downloadspiegel

Link 1
Link 2


WICHTIG - Speichere Combofix auf deinem Desktop
  • Deaktiviere bitte all deine Anti Viren sowie Anti Malware/Spyware Scanner. Diese können Combofix bei der Arbeit stören.
Starte die Combofix.exe und folge den Anweisungen auf dem Bildschirm.

Wenn Combofix fertig ist, wird es eine Logfile erstellen. Bitte poste die C:\Combofix.txt in deiner nächsten Antwort.


Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten
Zitat:
Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.
starte den Rechner einfach neu. Dies sollte das Problem beheben.

Zweckformer 29.08.2012 17:10
Ok, ist erledigt.

Anbei die Auswertung der ComboFix.exe:

[CODE]
Combofix Logfile:
Code:
ComboFix 12-08-28.03 - Zweckformer 29.08.2012  18:00:25.2.4 - x64
Microsoft Windows 7 Professional  6.1.7601.1.1252.49.1031.18.8190.6403 [GMT 2:00]
ausgeführt von:: d:\users\DenDe\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 5.0 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((  Weitere Löschungen  ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
d:\users\DenDe\AppData\Roaming\msconfig.ini
.
.
(((((((((((((((((((((((  Dateien erstellt von 2012-07-28 bis 2012-08-29  ))))))))))))))))))))))))))))))
.
.
2012-08-29 14:22 . 2012-08-27 23:49        9310152        ----a-w-        c:\programdata\Microsoft\Windows Defender\Definition Updates\{DB332942-1681-4B3B-92E2-B883A403F285}\mpengine.dll
2012-08-29 11:51 . 2012-08-29 11:51        --------        d-----w-        C:\found.000
2012-08-29 10:46 . 2012-08-29 16:04        --------        d-----w-        c:\windows\system32\wbem\repository
2012-08-23 08:27 . 2012-08-23 08:27        --------        d-----w-        c:\program files (x86)\Common Files\Java
2012-08-23 08:27 . 2012-08-23 08:27        95208        ----a-w-        c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-08-23 08:27 . 2012-08-23 08:27        --------        d-----w-        c:\program files (x86)\Java
2012-08-20 21:27 . 2012-08-20 21:38        --------        d-----w-        d:\users\DenDe\AppData\Local\Darksiders2
2012-08-19 21:37 . 2012-06-29 03:49        1392128        ----a-w-        c:\windows\system32\wininet.dll
2012-08-19 21:22 . 2012-08-19 21:22        --------        d-----w-        C:\Games
2012-08-19 21:22 . 2012-08-19 21:22        --------        d-----w-        d:\users\DenDe\AppData\Local\Package Cache
2012-08-13 16:36 . 2012-08-13 16:36        --------        d-----w-        c:\programdata\RELOADED
2012-08-11 10:42 . 2012-08-11 10:42        --------        d-----w-        d:\users\DenDe\AppData\Roaming\RotMG.Production
2012-08-07 19:49 . 2012-08-07 19:49        --------        d-----w-        d:\users\DenDe\AppData\Local\Adobe
2012-08-06 18:39 . 2012-08-06 18:39        --------        d-----w-        d:\users\DenDe\AppData\Roaming\Natural Selection 2
2012-08-04 21:23 . 2012-08-04 21:23        --------        d-----w-        d:\users\DenDe\AppData\Roaming\HackSlashLoot
.
.
.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-23 08:27 . 2012-06-21 15:03        746984        ----a-w-        c:\windows\SysWow64\deployJava1.dll
2012-08-21 18:39 . 2012-06-26 08:42        916456        ----a-w-        c:\windows\system32\deployJava1.dll
2012-08-21 18:39 . 2012-06-26 08:42        1034216        ----a-w-        c:\windows\system32\npDeployJava1.dll
2012-08-19 21:36 . 2012-06-22 07:56        62134624        ----a-w-        c:\windows\system32\MRT.exe
2012-08-19 18:50 . 2012-07-20 19:18        70344        ----a-w-        c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-19 18:50 . 2012-07-20 19:18        426184        ----a-w-        c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-29 21:38 . 2012-06-29 21:36        283200        ----a-w-        c:\windows\system32\drivers\dtsoftbus01.sys
2012-06-21 16:22 . 2012-06-21 16:22        74752        ----a-w-        c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-06-21 16:22 . 2012-06-21 16:22        161792        ----a-w-        c:\windows\SysWow64\msls31.dll
2012-06-21 16:22 . 2012-06-21 16:22        91648        ----a-w-        c:\windows\system32\SetIEInstalledDate.exe
2012-06-21 16:22 . 2012-06-21 16:22        89088        ----a-w-        c:\windows\system32\RegisterIEPKEYs.exe
2012-06-21 16:22 . 2012-06-21 16:22        89088        ----a-w-        c:\windows\system32\ie4uinit.exe
2012-06-21 16:22 . 2012-06-21 16:22        86528        ----a-w-        c:\windows\SysWow64\iesysprep.dll
2012-06-21 16:22 . 2012-06-21 16:22        85504        ----a-w-        c:\windows\system32\iesetup.dll
2012-06-21 16:22 . 2012-06-21 16:22        82432        ----a-w-        c:\windows\system32\icardie.dll
2012-06-21 16:22 . 2012-06-21 16:22        76800        ----a-w-        c:\windows\SysWow64\SetIEInstalledDate.exe
2012-06-21 16:22 . 2012-06-21 16:22        76800        ----a-w-        c:\windows\system32\tdc.ocx
2012-06-21 16:22 . 2012-06-21 16:22        74752        ----a-w-        c:\windows\SysWow64\iesetup.dll
2012-06-21 16:22 . 2012-06-21 16:22        65024        ----a-w-        c:\windows\system32\pngfilt.dll
2012-06-21 16:22 . 2012-06-21 16:22        63488        ----a-w-        c:\windows\SysWow64\tdc.ocx
2012-06-21 16:22 . 2012-06-21 16:22        55296        ----a-w-        c:\windows\system32\msfeedsbs.dll
2012-06-21 16:22 . 2012-06-21 16:22        534528        ----a-w-        c:\windows\system32\ieapfltr.dll
2012-06-21 16:22 . 2012-06-21 16:22        49664        ----a-w-        c:\windows\system32\imgutil.dll
2012-06-21 16:22 . 2012-06-21 16:22        48640        ----a-w-        c:\windows\SysWow64\mshtmler.dll
2012-06-21 16:22 . 2012-06-21 16:22        48640        ----a-w-        c:\windows\system32\mshtmler.dll
2012-06-21 16:22 . 2012-06-21 16:22        452608        ----a-w-        c:\windows\system32\dxtmsft.dll
2012-06-21 16:22 . 2012-06-21 16:22        448512        ----a-w-        c:\windows\system32\html.iec
2012-06-21 16:22 . 2012-06-21 16:22        420864        ----a-w-        c:\windows\SysWow64\vbscript.dll
2012-06-21 16:22 . 2012-06-21 16:22        403248        ----a-w-        c:\windows\system32\iedkcs32.dll
2012-06-21 16:22 . 2012-06-21 16:22        39936        ----a-w-        c:\windows\system32\iernonce.dll
2012-06-21 16:22 . 2012-06-21 16:22        3695416        ----a-w-        c:\windows\system32\ieapfltr.dat
2012-06-21 16:22 . 2012-06-21 16:22        367104        ----a-w-        c:\windows\SysWow64\html.iec
2012-06-21 16:22 . 2012-06-21 16:22        35840        ----a-w-        c:\windows\SysWow64\imgutil.dll
2012-06-21 16:22 . 2012-06-21 16:22        282112        ----a-w-        c:\windows\system32\dxtrans.dll
2012-06-21 16:22 . 2012-06-21 16:22        267776        ----a-w-        c:\windows\system32\ieaksie.dll
2012-06-21 16:22 . 2012-06-21 16:22        23552        ----a-w-        c:\windows\SysWow64\licmgr10.dll
2012-06-21 16:22 . 2012-06-21 16:22        222208        ----a-w-        c:\windows\system32\msls31.dll
2012-06-21 16:22 . 2012-06-21 16:22        197120        ----a-w-        c:\windows\system32\msrating.dll
2012-06-21 16:22 . 2012-06-21 16:22        163840        ----a-w-        c:\windows\system32\ieakui.dll
2012-06-21 16:22 . 2012-06-21 16:22        160256        ----a-w-        c:\windows\system32\ieakeng.dll
2012-06-21 16:22 . 2012-06-21 16:22        152064        ----a-w-        c:\windows\SysWow64\wextract.exe
2012-06-21 16:22 . 2012-06-21 16:22        150528        ----a-w-        c:\windows\SysWow64\iexpress.exe
2012-06-21 16:22 . 2012-06-21 16:22        149504        ----a-w-        c:\windows\system32\occache.dll
2012-06-21 16:22 . 2012-06-21 16:22        145920        ----a-w-        c:\windows\system32\iepeers.dll
2012-06-21 16:22 . 2012-06-21 16:22        135168        ----a-w-        c:\windows\system32\IEAdvpack.dll
2012-06-21 16:22 . 2012-06-21 16:22        12288        ----a-w-        c:\windows\system32\mshta.exe
2012-06-21 16:22 . 2012-06-21 16:22        11776        ----a-w-        c:\windows\SysWow64\mshta.exe
2012-06-21 16:22 . 2012-06-21 16:22        114176        ----a-w-        c:\windows\system32\admparse.dll
2012-06-21 16:22 . 2012-06-21 16:22        111616        ----a-w-        c:\windows\system32\iesysprep.dll
2012-06-21 16:22 . 2012-06-21 16:22        110592        ----a-w-        c:\windows\SysWow64\IEAdvpack.dll
2012-06-21 16:22 . 2012-06-21 16:22        10752        ----a-w-        c:\windows\system32\msfeedssync.exe
2012-06-21 16:22 . 2012-06-21 16:22        101888        ----a-w-        c:\windows\SysWow64\admparse.dll
2012-06-21 16:22 . 2012-06-21 16:22        697344        ----a-w-        c:\windows\system32\msfeeds.dll
2012-06-21 16:22 . 2012-06-21 16:22        603648        ----a-w-        c:\windows\system32\vbscript.dll
2012-06-21 16:22 . 2012-06-21 16:22        30720        ----a-w-        c:\windows\system32\licmgr10.dll
2012-06-21 16:22 . 2012-06-21 16:22        249344        ----a-w-        c:\windows\system32\webcheck.dll
2012-06-21 16:22 . 2012-06-21 16:22        165888        ----a-w-        c:\windows\system32\iexpress.exe
2012-06-21 16:22 . 2012-06-21 16:22        160256        ----a-w-        c:\windows\system32\wextract.exe
2012-06-21 16:22 . 2012-06-21 16:22        103936        ----a-w-        c:\windows\system32\inseng.dll
2012-06-09 05:43 . 2012-07-11 05:57        14172672        ----a-w-        c:\windows\system32\shell32.dll
2012-06-06 06:06 . 2012-07-11 05:57        2004480        ----a-w-        c:\windows\system32\msxml6.dll
2012-06-06 06:06 . 2012-07-11 05:57        1881600        ----a-w-        c:\windows\system32\msxml3.dll
2012-06-06 06:02 . 2012-07-11 05:57        1133568        ----a-w-        c:\windows\system32\cdosys.dll
2012-06-06 05:05 . 2012-07-11 05:57        1390080        ----a-w-        c:\windows\SysWow64\msxml6.dll
2012-06-06 05:05 . 2012-07-11 05:57        1236992        ----a-w-        c:\windows\SysWow64\msxml3.dll
2012-06-06 05:03 . 2012-07-11 05:57        805376        ----a-w-        c:\windows\SysWow64\cdosys.dll
2012-06-02 22:19 . 2012-06-22 08:06        38424        ----a-w-        c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-22 08:07        2428952        ----a-w-        c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-22 08:07        57880        ----a-w-        c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-22 08:07        44056        ----a-w-        c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-22 08:06        701976        ----a-w-        c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-22 08:07        2622464        ----a-w-        c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-22 08:06        99840        ----a-w-        c:\windows\system32\wudriver.dll
2012-06-02 13:19 . 2012-06-22 08:06        186752        ----a-w-        c:\windows\system32\wuwebv.dll
2012-06-02 13:15 . 2012-06-22 08:06        36864        ----a-w-        c:\windows\system32\wuapp.exe
2012-06-02 05:50 . 2012-07-11 05:57        458704        ----a-w-        c:\windows\system32\drivers\cng.sys
2012-06-02 05:48 . 2012-07-11 05:57        95600        ----a-w-        c:\windows\system32\drivers\ksecdd.sys
2012-06-02 05:48 . 2012-07-11 05:57        151920        ----a-w-        c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 05:45 . 2012-07-11 05:57        340992        ----a-w-        c:\windows\system32\schannel.dll
2012-06-02 05:44 . 2012-07-11 05:57        307200        ----a-w-        c:\windows\system32\ncrypt.dll
2012-06-02 04:40 . 2012-07-11 05:57        22016        ----a-w-        c:\windows\SysWow64\secur32.dll
2012-06-02 04:40 . 2012-07-11 05:57        225280        ----a-w-        c:\windows\SysWow64\schannel.dll
2012-06-02 04:39 . 2012-07-11 05:57        219136        ----a-w-        c:\windows\SysWow64\ncrypt.dll
2012-06-02 04:34 . 2012-07-11 05:57        96768        ----a-w-        c:\windows\SysWow64\sspicli.dll
.
.
((((((((((((((((((((((((((((  Autostartpunkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="e:\apps\DAEMON Tools Lite\DTLite.exe" [2012-04-11 3672384]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-05 641664]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"iTunesHelper"="e:\apps\Itunes\iTunesHelper.exe" [2012-06-07 421776]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-19 250056]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 EverestDriver;Lavalys EVEREST Kernel Driver;e:\apps\EVEREST Ultimate Edition\kerneld.amd64 [2010-03-30 26752]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-14 113120]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-04-25 52736]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-06-29 283200]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2011-08-04 146432]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-04-06 236544]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2011-08-09 202576]
S2 ekrn;ESET Service;e:\apps\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2011-09-22 974944]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2011-08-04 137144]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2012-04-06 11174400]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2012-04-06 343040]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-02-23 95760]
.
.
--- Andere Dienste/Treiber im Speicher ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f7eab56-bc40-11e1-9592-0023ae616502}]
\shell\AutoRun\command - K:\Setup.exe
.
Inhalt des "geplante Tasks" Ordners
.
2012-08-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-20 18:50]
.
2012-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-72721436-1853332672-4045996675-1001Core.job
- d:\users\DenDe\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-20 19:07]
.
2012-08-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-72721436-1853332672-4045996675-1001UA.job
- d:\users\DenDe\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-20 19:07]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="e:\apps\ESET\ESET NOD32 Antivirus\egui.exe" [2011-09-22 4035152]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 217.0.43.129 192.168.0.1
FF - ProfilePath - d:\users\DenDe\AppData\Roaming\Mozilla\Firefox\Profiles\b4uoubp3.default\
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
AddRemove-BattlEye for A2 - e:\games\steam\steamapps\common\arma 2BattlEye\UnInstallBE.exe
AddRemove-BattlEye for OA - e:\games\steam\steamapps\common\arma 2 operation arrowhead\Expansion\BattlEye\UnInstallBE.exe
AddRemove-Steam App 207250 - e:\games\Steam\steam.exe
AddRemove-Steam App 207430 - e:\games\Steam\steam.exe
AddRemove-Steam App 33910 - e:\games\Steam\steam.exe
AddRemove-Steam App 33930 - e:\games\Steam\steam.exe
AddRemove-Steam App 570 - e:\games\Steam\steam.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EverestDriver]
"ImagePath"="\??\e:\apps\EVEREST Ultimate Edition\kerneld.amd64"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2012-08-29  18:07:39 - PC wurde neu gestartet
ComboFix-quarantined-files.txt  2012-08-29 16:07
.
Vor Suchlauf: 8 Verzeichnis(se), 31.276.617.728 Bytes frei
Nach Suchlauf: 13 Verzeichnis(se), 31.244.578.816 Bytes frei
.
- - End Of File - - 4BC448140F933A884870ABAE98DAF28E
--- --- ---


mfg

markusg 29.08.2012 17:11
hi
malwarebytes:
Downloade Dir bitte Malwarebytes
  • Installiere
    das Programm in den vorgegebenen Pfad.
    Vista und Win7 User mit Rechtsklick "als Administrator starten"
  • Starte Malwarebytes, klicke auf Aktualisierung --> Suche
    nach Aktualisierung
  • Wenn das Update beendet wurde, aktiviere vollständiger Scan durchführen und drücke auf Scannen.
  • Wenn der Scan beendet
    ist, klicke auf Ergebnisse anzeigen.
  • Versichere Dich, dass alle Funde markiert sind und drücke Entferne Auswahl.
  • Poste
    das Logfile, welches sich in Notepad öffnet, hier in den Thread.
  • Nachträglich kannst du den Bericht unter "Log Dateien" finden.

Zweckformer 29.08.2012 18:03
Hey.

Hier der mwb-log

Code:
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Datenbank Version: v2012.08.29.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Zweckformer :: ZWECKFORMERPC2 [Administrator]

29.08.2012 18:19:13
mbam-log-2012-08-29 (18-19-13).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|E:\|F:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 424507
Laufzeit: 36 Minute(n), 5 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 2
E:\Games\Serious Sam HD - The Second Encounter\TDU5k.exe (Packer.ModifiedUPX) -> Erfolgreich gelöscht und in Quarantäne gestellt.
D:\_OTL\MovedFiles\08292012_161544\D_Users\DenDe\AppData\Roaming\msconfig.dat (Trojan.Agent.VGENX) -> Erfolgreich gelöscht und in Quarantäne gestellt.

(Ende)
gilt es sonst noch etwas zu tun?

gruessle

markusg 30.08.2012 12:07
lade den CCleaner standard:
CCleaner Download - CCleaner 3.22.1800
falls der CCleaner
bereits instaliert, überspringen.
instalieren, öffnen, extras, liste der instalierten programme, als txt speichern. öffnen.
hinter, jedes von dir benötigte programm, schreibe notwendig.
hinter, jedes, von dir nicht benötigte, unnötig.
hinter, dir unbekannte, unbekannt.
liste posten.


Alle Zeitangaben in WEZ +1. Es ist jetzt 16:41 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131