Weißer Bildschirm mit roten Rändern nach Boot

elJonny · 18.02.2013, 15:30

Hallo allerseits!

Seit einigen Tagen tritt am PC meiner Eltern folgendes Problem auf:

Nach dem Bootvorgang sieht man kurz den Desktop, doch dann wird der Bildschirm weiß mit schmalen roten Rändern rechts und links.
Der Taskmanager schließt sich nach einer Sekunde gleich wieder von selbst, sodass man nichts damit anfangen kann.

Im abgesichterten Modus habe ich Scans von Avira und Spybot laufen lassen. Dabei wurde auch ein Trojaner gefunden. Habe die Funde in Quarantäne verschoben. Das hat allerdings das Problem nicht behoben.

Ich hab natürlich schon nach dem Problem gegooglet, aber es scheint keine Standardlösung dafür zu geben.

Was muss ich tun, um das Ding wieder so vom Rechner zu kriegen, dass er wieder nutzbar wird? Über Hilfe würde ich mich sehr freuen.

Code:

ATTFilter

OTL logfile created on: 18.02.2013 14:03:35 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Jonny\Desktop
64bit- Ultimate Edition  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
4,00 Gb Total Physical Memory | 3,22 Gb Available Physical Memory | 80,58% Memory free
8,00 Gb Paging File | 7,33 Gb Available in Paging File | 91,66% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 239,50 Gb Total Space | 154,67 Gb Free Space | 64,58% Space Free | Partition Type: NTFS
Drive J: | 37,79 Gb Total Space | 0,99 Gb Free Space | 2,62% Space Free | Partition Type: NTFS
 
Computer Name: JONNY-PC | User Name: Jonny | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2013.02.18 13:53:16 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Jonny\Desktop\OTL.exe
PRC - [2012.03.27 12:31:33 | 087,227,952 | ---- | M] () -- C:\Program Files (x86)\Avira\avira_free_antivirus_de.exe
PRC - [2012.01.31 08:56:04 | 002,757,584 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Users\Jonny\AppData\Local\Temp\RarSFX3\presetup.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2012.03.27 12:31:33 | 087,227,952 | ---- | M] () -- C:\Program Files (x86)\Avira\avira_free_antivirus_de.exe
 
 
========== Services (SafeList) ==========
 
SRV:64bit: - [2009.07.14 02:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend)
SRV:64bit: - [2009.07.14 02:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2013.02.12 12:42:42 | 000,251,248 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013.02.06 11:12:59 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013.01.08 12:55:20 | 000,161,536 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012.12.14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012.12.14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2011.05.21 06:01:00 | 002,214,504 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
SRV - [2011.03.16 09:42:06 | 000,407,336 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010.03.18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009.06.10 22:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - [2012.12.14 16:49:28 | 000,024,176 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2011.06.29 14:36:28 | 000,123,784 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\Windows\SysNative\drivers\avipbb.sys -- (avipbb)
DRV:64bit: - [2011.06.29 14:36:28 | 000,088,288 | ---- | M] (Avira GmbH) [File_System | Auto | Stopped] -- C:\Windows\SysNative\drivers\avgntflt.sys -- (avgntflt)
DRV:64bit: - [2009.12.19 09:11:40 | 000,314,400 | ---- | M] (Realtek                                            ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2009.07.14 02:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009.07.14 02:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009.07.14 02:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009.07.14 02:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009.07.14 02:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009.07.14 02:47:48 | 000,023,104 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2009.07.14 02:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009.06.10 21:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009.06.10 21:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009.06.10 21:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009.06.10 21:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009.03.18 16:35:42 | 000,033,856 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hamachi.sys -- (hamachi)
DRV:64bit: - [2008.07.26 15:26:34 | 000,050,072 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\LVUSBS64.sys -- (LVUSBS64)
DRV:64bit: - [2008.07.26 15:25:48 | 000,790,424 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lvrs64.sys -- (LVRS64)
DRV:64bit: - [2008.07.26 15:22:34 | 002,624,408 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\LV302V64.SYS -- (PID_PEPI)
DRV:64bit: - [2008.07.26 15:22:22 | 000,015,768 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lv302a64.sys -- (lvpepf64)
DRV - [2009.07.14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2269050
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://domredi.com/1/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 9A C2 A7 4C FC F8 CA 01  [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2269050
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "www.google.de"
FF - prefs.js..extensions.enabledAddons: groovesharkUnlocker%40overlord1337:1.3
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:18.0.2
 
 
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_5_502_149.dll File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_149.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.2\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013.02.06 11:12:59 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.2\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2013.02.06 11:12:58 | 000,000,000 | ---D | M]
 
[2012.01.21 14:39:00 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Jonny\AppData\Roaming\mozilla\Extensions
[2013.02.15 11:58:07 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Jonny\AppData\Roaming\mozilla\Firefox\Profiles\j6940fbg.default\extensions
[2012.11.14 21:26:10 | 000,029,022 | ---- | M] () (No name found) -- C:\Users\Jonny\AppData\Roaming\mozilla\firefox\profiles\j6940fbg.default\extensions\groovesharkUnlocker@overlord1337.xpi
[2013.01.19 16:40:01 | 000,492,222 | ---- | M] () (No name found) -- C:\Users\Jonny\AppData\Roaming\mozilla\firefox\profiles\j6940fbg.default\extensions\toolbar@gmx.net.xpi
[2013.02.15 11:58:07 | 000,817,280 | ---- | M] () (No name found) -- C:\Users\Jonny\AppData\Roaming\mozilla\firefox\profiles\j6940fbg.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2012.09.24 14:15:10 | 000,000,853 | ---- | M] () -- C:\Users\Jonny\AppData\Roaming\mozilla\firefox\profiles\j6940fbg.default\searchplugins\11-suche.xml
[2012.09.24 14:15:10 | 000,002,209 | ---- | M] () -- C:\Users\Jonny\AppData\Roaming\mozilla\firefox\profiles\j6940fbg.default\searchplugins\englische-ergebnisse.xml
[2012.09.24 14:15:10 | 000,010,506 | ---- | M] () -- C:\Users\Jonny\AppData\Roaming\mozilla\firefox\profiles\j6940fbg.default\searchplugins\gmx-suche.xml
[2012.09.24 14:15:10 | 000,002,368 | ---- | M] () -- C:\Users\Jonny\AppData\Roaming\mozilla\firefox\profiles\j6940fbg.default\searchplugins\lastminute.xml
[2012.09.24 14:15:10 | 000,005,489 | ---- | M] () -- C:\Users\Jonny\AppData\Roaming\mozilla\firefox\profiles\j6940fbg.default\searchplugins\webde-suche.xml
[2013.02.06 11:12:57 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions
[2013.02.06 11:12:59 | 000,262,552 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012.03.28 13:13:11 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
[2012.08.15 14:01:53 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.09.28 19:07:14 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012.08.15 14:01:53 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml
[2012.08.15 14:01:53 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.08.15 14:01:53 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.08.15 14:01:53 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2009.06.10 22:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (toolplugin) - {DFEFCDEE-CF1A-4FC8-89AF-189327213627} - C:\Users\Jonny\AppData\Roaming\toolplugin\toolbar.dll ()
O4 - HKLM..\Run: [avgnt] "C:\Private Programme\Avira\AntiVir Desktop\avgnt.exe" /min File not found
O4 - HKLM..\Run: [Krait] C:\Program Files (x86)\Razer\Krait\razerhid.exe ()
O4 - HKCU..\Run: [Metropolis] rundll32.exe C:\Windows\system32\sshnas21.dll,GetHandle File not found
O4 - HKCU..\Run: [ovfu.exe] C:\Users\Jonny\AppData\Roaming\Voowu\ovfu.exe ()
O4 - HKCU..\Run: [Steam] C:\Program Files (x86)\Steam\steam.exe (Valve Corporation)
O4 - HKCU..\Run: [tuni.exe] C:\Users\Jonny\AppData\Roaming\Owym\tuni.exe ()
O4 - HKCU..\Run: [U36VRSFLG6] C:\Users\Jonny\AppData\Local\Temp\Ebr.exe File not found
O4 - HKCU..\Run: [UpdateMyDrivers] C:\Program Files (x86)\SmartTweak Software\UpdateMyDrivers\UpdateMyDrivers.exe /ot /as /ss File not found
O4 - HKCU..\Run: [vxwonribwexinsg] C:\ProgramData\vxwonrib.exe ()
O4 - HKLM..\RunOnce: [ Malwarebytes Anti-Malware ] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: fritz.box ([]* in Computer)
O15 - HKCU\..Trusted Ranges: Range1 ([*] in Computer)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{93E93256-7F4C-4E9A-B33F-F9C8440EA13F}: DhcpNameServer = 192.168.178.1
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{4a012010-9952-11e1-a922-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{4a012010-9952-11e1-a922-806e6f6e6963}\Shell\AutoRun\command - "" = F:\iStudio.exe
O33 - MountPoints2\{e91e61bc-6c19-11df-ad4e-001c255ef7e6}\Shell - "" = AutoRun
O33 - MountPoints2\{e91e61bc-6c19-11df-ad4e-001c255ef7e6}\Shell\AutoRun\command - "" = "F:\WD SmartWare.exe" autoplay=true
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013.02.18 13:53:15 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Jonny\Desktop\OTL.exe
[2013.02.18 13:33:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2013.02.18 13:33:19 | 000,000,000 | ---D | C] -- C:\Users\Jonny\AppData\Local\Programs
[2013.02.18 13:18:56 | 000,000,000 | ---D | C] -- C:\Users\Jonny\AppData\Roaming\Uqiber
[2013.02.18 13:18:56 | 000,000,000 | ---D | C] -- C:\Users\Jonny\AppData\Roaming\Ifycu
[2013.02.15 10:25:48 | 000,000,000 | ---D | C] -- C:\Users\Jonny\AppData\Roaming\Owym
[2013.02.15 10:25:48 | 000,000,000 | ---D | C] -- C:\Users\Jonny\AppData\Roaming\Evelsa
[2013.02.13 16:10:16 | 000,000,000 | ---D | C] -- C:\ProgramData\qsgizwobwjchaub
[2013.02.07 20:24:27 | 000,000,000 | R--D | C] -- C:\Program Files (x86)\Skype
[2013.02.07 20:24:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2013.02.07 20:24:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Skype
[2013.02.06 11:12:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
 
========== Files - Modified Within 30 Days ==========
 
[2013.02.18 14:02:51 | 000,009,248 | ---- | M] () -- C:\Users\Jonny\Desktop\Unbenannt 1.odt
[2013.02.18 13:53:16 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Jonny\Desktop\OTL.exe
[2013.02.18 13:50:58 | 000,050,477 | ---- | M] () -- C:\Users\Jonny\Desktop\Defogger(1).exe
[2013.02.18 13:50:26 | 000,000,000 | ---- | M] () -- C:\Users\Jonny\defogger_reenable
[2013.02.18 13:24:36 | 001,611,160 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013.02.18 13:24:36 | 000,696,132 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
[2013.02.18 13:24:36 | 000,651,450 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013.02.18 13:24:36 | 000,147,428 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
[2013.02.18 13:24:36 | 000,120,382 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013.02.18 13:20:19 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013.02.18 13:20:14 | 3220,676,608 | -HS- | M] () -- C:\hiberfil.sys
[2013.02.18 13:18:42 | 000,000,286 | -H-- | M] () -- C:\Windows\tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job
[2013.02.18 13:18:40 | 000,000,286 | -H-- | M] () -- C:\Windows\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2013.02.18 13:18:39 | 000,000,246 | -H-- | M] () -- C:\Windows\tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
[2013.02.15 17:39:09 | 000,014,016 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013.02.15 17:39:09 | 000,014,016 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013.02.13 20:30:02 | 000,000,234 | -H-- | M] () -- C:\Windows\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
[2013.02.13 16:10:17 | 000,076,326 | ---- | M] () -- C:\ProgramData\raupcjqeoqvspfj
[2013.02.13 16:08:00 | 000,122,368 | ---- | M] () -- C:\ProgramData\vxwonrib.exe
[2013.02.12 18:42:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013.02.07 20:24:27 | 000,002,517 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
 
========== Files Created - No Company Name ==========
 
[2013.02.18 14:02:49 | 000,009,248 | ---- | C] () -- C:\Users\Jonny\Desktop\Unbenannt 1.odt
[2013.02.18 13:50:58 | 000,050,477 | ---- | C] () -- C:\Users\Jonny\Desktop\Defogger(1).exe
[2013.02.18 13:50:26 | 000,000,000 | ---- | C] () -- C:\Users\Jonny\defogger_reenable
[2013.02.13 16:10:16 | 000,122,368 | ---- | C] () -- C:\ProgramData\vxwonrib.exe
[2013.02.13 16:08:00 | 000,076,326 | ---- | C] () -- C:\ProgramData\raupcjqeoqvspfj
[2012.09.24 14:11:23 | 000,075,690 | ---- | C] () -- C:\Users\Jonny\.recently-used.xbel
[2011.12.14 17:36:11 | 001,588,294 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011.04.13 15:55:39 | 000,000,056 | -H-- | C] () -- C:\Windows\SysWow64\ezsidmv.dat
[2010.10.27 16:41:31 | 000,007,605 | ---- | C] () -- C:\Users\Jonny\AppData\Local\Resmon.ResmonCfg
[2010.05.20 20:17:02 | 000,000,000 | ---- | C] () -- C:\Users\Jonny\AppData\Roaming\chrtmp
 
========== ZeroAccess Check ==========
 
[2009.07.14 05:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2011.08.30 06:21:15 | 014,164,480 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2011.08.30 05:28:32 | 012,868,096 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 02:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009.07.14 02:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 02:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
 
========== LOP Check ==========
 
[2010.07.12 16:56:26 | 000,000,000 | ---D | M] -- C:\Users\Jonny\AppData\Roaming\DeepBurner
[2011.12.10 15:32:47 | 000,000,000 | ---D | M] -- C:\Users\Jonny\AppData\Roaming\DVDVideoSoft
[2011.12.10 15:32:41 | 000,000,000 | ---D | M] -- C:\Users\Jonny\AppData\Roaming\DVDVideoSoftIEHelpers
[2013.02.18 13:18:56 | 000,000,000 | ---D | M] -- C:\Users\Jonny\AppData\Roaming\Elfeuz
[2013.02.15 10:26:19 | 000,000,000 | ---D | M] -- C:\Users\Jonny\AppData\Roaming\Evelsa
[2012.09.25 17:47:52 | 000,000,000 | ---D | M] -- C:\Users\Jonny\AppData\Roaming\Foxit Software
[2012.09.17 14:57:43 | 000,000,000 | ---D | M] -- C:\Users\Jonny\AppData\Roaming\gtk-2.0
[2013.02.18 13:18:56 | 000,000,000 | ---D | M] -- C:\Users\Jonny\AppData\Roaming\Ifycu
[2010.07.01 21:29:41 | 000,000,000 | ---D | M] -- C:\Users\Jonny\AppData\Roaming\OpenOffice.org
[2011.01.29 11:17:24 | 000,000,000 | ---D | M] -- C:\Users\Jonny\AppData\Roaming\Opera
[2013.02.15 10:25:48 | 000,000,000 | ---D | M] -- C:\Users\Jonny\AppData\Roaming\Owym
[2010.10.27 14:45:12 | 000,000,000 | ---D | M] -- C:\Users\Jonny\AppData\Roaming\Teeworlds
[2011.11.02 17:11:32 | 000,000,000 | ---D | M] -- C:\Users\Jonny\AppData\Roaming\toolplugin
[2012.12.08 15:41:05 | 000,000,000 | ---D | M] -- C:\Users\Jonny\AppData\Roaming\TS3Client
[2010.10.27 16:58:23 | 000,000,000 | ---D | M] -- C:\Users\Jonny\AppData\Roaming\Uniblue
[2013.02.18 13:18:56 | 000,000,000 | ---D | M] -- C:\Users\Jonny\AppData\Roaming\Uqiber
[2012.09.26 00:10:04 | 000,000,000 | ---D | M] -- C:\Users\Jonny\AppData\Roaming\Voowu
[2012.01.19 21:03:03 | 000,000,000 | ---D | M] -- C:\Users\Jonny\AppData\Roaming\WNR
 
========== Purity Check ==========
 
 

< End of report >

Code:

ATTFilter

OTL Extras logfile created on: 18.02.2013 14:03:35 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Jonny\Desktop
64bit- Ultimate Edition  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
4,00 Gb Total Physical Memory | 3,22 Gb Available Physical Memory | 80,58% Memory free
8,00 Gb Paging File | 7,33 Gb Available in Paging File | 91,66% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 239,50 Gb Total Space | 154,67 Gb Free Space | 64,58% Space Free | Partition Type: NTFS
Drive J: | 37,79 Gb Total Space | 0,99 Gb Free Space | 2,62% Space Free | Partition Type: NTFS
 
Computer Name: JONNY-PC | User Name: Jonny | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = Opera.HTML] -- C:\Program Files (x86)\Opera\Opera.exe (Opera Software)
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = Opera.HTML] -- C:\Program Files (x86)\Opera\Opera.exe (Opera Software)
 
========== Shell Spawning ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
http [open] -- "C:\Program Files (x86)\Opera\opera.exe" "%1" (Opera Software)
https [open] -- "C:\Program Files (x86)\Opera\opera.exe" "%1" (Opera Software)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
http [open] -- "C:\Program Files (x86)\Opera\opera.exe" "%1" (Opera Software)
https [open] -- "C:\Program Files (x86)\Opera\opera.exe" "%1" (Opera Software)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01  [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{048A0543-1D2F-499D-9992-6EB3EF39EBCB}" = rport=137 | protocol=17 | dir=out | app=system | 
"{049CD744-0C48-406E-9693-3995733ED5FA}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{1EDEC52E-4D0F-4CC2-9A87-1FBE4AF986B5}" = lport=139 | protocol=6 | dir=in | app=system | 
"{2057DAE0-5549-4838-B7CF-C289184D979B}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{20CF5CC4-B0E7-41CF-BA11-72B82BF51911}" = rport=139 | protocol=6 | dir=out | app=system | 
"{21A40D03-2E22-4B74-B694-E7233B910E71}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{239227FA-C092-40AD-BBD9-20EC289B1855}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{25C3FEB2-C489-4607-AF96-8C52839DEF92}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{2FE6A0A7-5009-4915-B2EA-695113237425}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe | 
"{362941E1-C2DA-4A03-940B-7F9FD847A7CE}" = rport=10243 | protocol=6 | dir=out | app=system | 
"{4F2025C1-A335-465D-8E6C-DCD8892C8C53}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{5A042946-543D-48BA-AD1E-E786783B7B5D}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{65D2A90E-B462-4322-B72C-3C41AB4B36EE}" = lport=137 | protocol=17 | dir=in | app=system | 
"{6DE15638-28D5-4267-89BE-93360C89ADE7}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{7C953F63-EA15-4B75-AA37-87FADCA0C066}" = lport=2869 | protocol=6 | dir=in | app=system | 
"{8179FEB0-17C6-4610-86FE-1AAA7B6A9580}" = rport=445 | protocol=6 | dir=out | app=system | 
"{836A5495-30D2-4574-9709-7653E5CD6FE1}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe | 
"{8504E3C4-E1A1-4F8D-A021-F6510ABB39E6}" = rport=138 | protocol=17 | dir=out | app=system | 
"{8C4E4D8D-EEFA-409A-9902-0172DB28F1B1}" = lport=445 | protocol=6 | dir=in | app=system | 
"{A38F3CEC-22A6-4694-9ED9-7F467670E24D}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe | 
"{AD6239A1-BC74-4895-8D4A-CFA239BA2FC2}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{BC0FCA66-2693-4832-98EC-B561437C5A3A}" = lport=10243 | protocol=6 | dir=in | app=system | 
"{C9E2DB1C-22A4-4086-A5A9-33DBF1104348}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{CD37D1D1-7A3B-4753-9F96-4BBFF867C1A4}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | 
"{D4898D70-DBE0-46A1-A686-15DA1AA7C454}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{D7305AD6-2640-42E2-B9A4-DE8B69020732}" = lport=138 | protocol=17 | dir=in | app=system | 
"{D9DD432D-5CE5-4D21-A282-617F4BD90B81}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | 
"{F4B1B357-1F31-4DCF-9267-C0DD03F4402F}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{F8F7DA22-E296-4C08-BF01-0E5407C0FF21}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{FC47803B-2FBE-479C-9B13-CD00AAC46374}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe | 
"{FE95CA35-8476-45EB-9343-20D2B0BE0FF6}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{02566D34-E05D-4C05-9F32-2FAB6601EA92}" = protocol=17 | dir=in | app=c:\program files (x86)\proxyswitch\proxy switcher standard\proxyswitcher.exe | 
"{153757DA-0AC0-425D-9CBB-8C937AAE67C6}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | 
"{1629C905-E5C6-4F8D-B334-20967BC2150C}" = protocol=17 | dir=in | app=c:\spiele\age of empires ii\age2_x1\age2_x1.exe | 
"{19F40BEE-A791-433B-9502-95DE9B164C8B}" = protocol=6 | dir=in | app=c:\spiele\age of empires ii\age2_x1\age2_x1.exe | 
"{1B2FC642-CBE8-4BA0-A3F7-45642EB46B82}" = protocol=17 | dir=in | app=c:\program files (x86)\proxyswitch\proxy switcher standard\proxyswitcher.exe | 
"{1EAA1E72-9A86-468B-B58D-3A5E86FCAE40}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steam.exe | 
"{200C6280-9014-4E70-A0AD-D52A4FBA97E9}" = protocol=6 | dir=in | app=c:\spiele\aoe 1.0c neu\age of empires ii 1.0c\age2_x1\age2_x1.exe | 
"{309FC48E-FA9E-476D-8349-A4EB714824DA}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | 
"{348CEC0B-5BDE-4F3F-96E3-ED4871B9B92F}" = protocol=6 | dir=in | app=c:\program files (x86)\opera\opera.exe | 
"{3B632EE4-07D8-421D-9DB8-E564CC7201BC}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steam.exe | 
"{3DF1C5A7-593E-4B9E-B695-91A51E3CC4FE}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{40DF25BD-11AC-40D2-B0D7-F194092D45AB}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{421E489D-BDCF-41CB-9271-0622ECF7A532}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{4A17F052-D4E3-4948-B848-14CFB447FF2D}" = protocol=6 | dir=in | app=c:\program files (x86)\opera\pluginwrapper\opera_plugin_wrapper.exe | 
"{4B2B2AA6-9326-4859-93B3-A8A689ADF4AF}" = protocol=17 | dir=in | app=c:\spiele\aoe ii\age2_x1\age2_x1.exe | 
"{4E86FD94-5A57-43C8-A308-DDB0E271D412}" = protocol=17 | dir=in | app=c:\program files (x86)\proxy switcher standard\proxyswitcher.exe | 
"{55968813-E577-4C37-B4DD-EC17200DDC92}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{5D1A31C5-D4B9-4AD1-B7A6-1AAF3D40C419}" = protocol=6 | dir=in | app=c:\spiele\world in conflict\wic.exe | 
"{5DAA1D01-42AA-4CDA-AD6C-70DDC8382F59}" = protocol=17 | dir=in | app=c:\users\jonny\appdata\roaming\spotify\spotify.exe | 
"{6D073DE3-B78A-4B26-9A5B-3361701027B9}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | 
"{7167B10D-C66F-4831-A8C0-F2E339ECF55D}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{719754AF-6000-4AEB-B7B6-B6E310071F0C}" = protocol=6 | dir=in | app=c:\program files (x86)\proxy switcher standard\proxyswitcher.exe | 
"{719D32E1-E376-4759-BB33-424B41010009}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{74541585-814D-4B01-86FA-6B1D33D03914}" = protocol=6 | dir=in | app=c:\spiele\aoe ii\age2_x1\age2_x1.exe | 
"{82121351-A8FA-4B24-B79B-0717AAE60616}" = protocol=17 | dir=in | app=c:\program files (x86)\opera\opera.exe | 
"{83912394-FDDD-42AB-840F-9417A07DB82E}" = protocol=17 | dir=in | app=c:\spiele\aoe 1.0c neu\age of empires ii 1.0c\age2_x1\age2_x1.exe | 
"{8713ED2F-998B-4125-B292-EBFDAEAF943A}" = protocol=6 | dir=in | app=c:\program files (x86)\proxy switcher standard\proxyswitcher.exe | 
"{9275B377-617A-4603-95BB-01290EC4DC8E}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{96F6BF2E-C463-4F1C-AE1F-9F92D9B66A31}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{9C8A8765-1847-4CE2-BB6C-1FF843CEB932}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{A160474F-DD16-47BF-A5C8-BC07A810F348}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{A58E16E6-FE2F-40B9-AA33-58ED1EE68DB4}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\dota 2 beta\dota.exe | 
"{A5E9E7BF-4D29-4F9D-A978-6FE6E81EC9F5}" = protocol=17 | dir=in | app=c:\users\jonny\appdata\roaming\spotify\spotify.exe | 
"{A71F30CB-1B4A-4D7A-8894-B1E8D41A8BFA}" = protocol=6 | dir=in | app=c:\users\jonny\appdata\roaming\spotify\spotify.exe | 
"{A7DD72EC-3D4A-4B15-A2F4-A9D2721DCD8E}" = protocol=6 | dir=in | app=c:\program files (x86)\proxyswitch\proxy switcher standard\proxyswitcher.exe | 
"{A92A2B5E-E5B0-4DC1-B7CE-101BC3DB8212}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{A9C72DB1-57AE-4519-850E-84635D98FEC7}" = protocol=17 | dir=in | app=c:\program files (x86)\proxy switcher standard\proxyswitcher.exe | 
"{AE10796A-B203-45EB-852F-642D894B64B8}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{AF41F608-86EB-47F8-B5B9-52C012B50709}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\dota 2 beta\dota.exe | 
"{B3236891-9021-4425-8708-394E9C0DEFCC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | 
"{B87D7B62-291F-4A35-A21F-860ED818F2D5}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{BDF4DCCA-5E11-4284-A889-F8AC29732F01}" = protocol=17 | dir=in | app=c:\program files (x86)\opera\pluginwrapper\opera_plugin_wrapper.exe | 
"{C0CCC549-BB43-48CF-B178-E536F82518E7}" = protocol=6 | dir=in | app=c:\program files (x86)\proxyswitch\proxy switcher standard\proxyswitcher.exe | 
"{C24492F3-243C-4865-82A7-774C26C1CA89}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | 
"{C9A146D9-012B-496E-A4CD-8F767F8FA7E0}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | 
"{CE691BBF-F879-4A8E-B793-D43894F59296}" = protocol=6 | dir=out | app=system | 
"{D357D821-49F1-4722-8C2C-436125E801E7}" = protocol=17 | dir=in | app=c:\spiele\world in conflict\wic.exe | 
"{EF4201E0-EBB5-43E2-AF32-58B002FA3BA1}" = protocol=6 | dir=in | app=c:\users\jonny\appdata\roaming\spotify\spotify.exe | 
"{F6C6F079-A6B9-42F3-B8DD-066228CF9BE0}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe | 
"TCP Query User{09F005A7-F1E9-4825-91F7-B0C30143A43A}C:\setups\gproxyplusplus_ptr_windows_1.0\gproxy.exe" = protocol=6 | dir=in | app=c:\setups\gproxyplusplus_ptr_windows_1.0\gproxy.exe | 
"TCP Query User{12DB7C0A-995E-42DB-A19C-1FE4DA6CDB98}C:\spiele\bloodline\binary\bloodlinechampions.exe" = protocol=6 | dir=in | app=c:\spiele\bloodline\binary\bloodlinechampions.exe | 
"TCP Query User{19FD0D25-A2D2-42F6-9202-0E64874C6B7D}C:\spiele\tmnationsforever\tmforever.exe" = protocol=6 | dir=in | app=c:\spiele\tmnationsforever\tmforever.exe | 
"TCP Query User{2D108A3F-C903-4074-8F20-F4828A8C1C29}C:\users\jonny\appdata\roaming\voowu\ovfu.exe" = protocol=6 | dir=in | app=c:\users\jonny\appdata\roaming\voowu\ovfu.exe | 
"TCP Query User{3ACB8156-8231-48A1-8DA2-E09ED815D07E}C:\users\jonny\desktop\c.s.1.6\hl.exe" = protocol=6 | dir=in | app=c:\users\jonny\desktop\c.s.1.6\hl.exe | 
"TCP Query User{3E328B0A-A662-4CC5-9C0D-633F7B69E02B}C:\spiele\age of empires ii\age2_x1\age2_x1.exe" = protocol=6 | dir=in | app=c:\spiele\age of empires ii\age2_x1\age2_x1.exe | 
"TCP Query User{4A8DD5E0-13D6-4048-9454-05C98B5179A5}C:\users\jonny\appdata\roaming\voowu\ovfu.exe" = protocol=6 | dir=in | app=c:\users\jonny\appdata\roaming\voowu\ovfu.exe | 
"TCP Query User{540914E0-71AA-4E10-8BD1-EBD5938190E8}C:\spiele\age of empires ii 1.0c\age2_x1\age2_x1.exe" = protocol=6 | dir=in | app=c:\spiele\age of empires ii 1.0c\age2_x1\age2_x1.exe | 
"TCP Query User{6BAA8BD1-0F75-48D7-A97F-84B0DD3255EF}C:\spiele\ut3\binaries\ut3.exe" = protocol=6 | dir=in | app=c:\spiele\ut3\binaries\ut3.exe | 
"TCP Query User{71D26456-38E0-486C-ACBA-B056A5FE7116}C:\spiele\warcraftiii (crack version)\war3.exe" = protocol=6 | dir=in | app=c:\spiele\warcraftiii (crack version)\war3.exe | 
"TCP Query User{7ED66356-749D-48BA-9FD8-DC53B1B3D386}C:\spiele\aoe 1.0c neu\age of empires ii 1.0c\age2_x1\age2_x1.exe" = protocol=6 | dir=in | app=c:\spiele\aoe 1.0c neu\age of empires ii 1.0c\age2_x1\age2_x1.exe | 
"TCP Query User{86E6FB9C-0A0E-4EE6-966B-BE09590A1B96}C:\users\jonny\desktop\warcraftiii (crack version)\war3.exe" = protocol=6 | dir=in | app=c:\users\jonny\desktop\warcraftiii (crack version)\war3.exe | 
"TCP Query User{88F0E410-B0CF-4B77-A517-16F7D6CB6F77}C:\windows\syswow64\dplaysvr.exe" = protocol=6 | dir=in | app=c:\windows\syswow64\dplaysvr.exe | 
"TCP Query User{8D60042F-0D44-4D5E-86ED-2F1F64D3295B}C:\spiele\warcraft iii\dotalicious\dotalicious gaming client\client.exe" = protocol=6 | dir=in | app=c:\spiele\warcraft iii\dotalicious\dotalicious gaming client\client.exe | 
"TCP Query User{8DF95AE1-4865-4C00-9B11-8D789D165697}C:\spiele\aoe ii\age2_x1\age2_x1.exe" = protocol=6 | dir=in | app=c:\spiele\aoe ii\age2_x1\age2_x1.exe | 
"TCP Query User{970F9979-6E32-459E-A7CA-4C0153F9756A}C:\spiele\blobby\volley.exe" = protocol=6 | dir=in | app=c:\spiele\blobby\volley.exe | 
"TCP Query User{A71CCDC6-843F-4711-86A7-70204BD00AB8}C:\program files (x86)\steam\steamapps\common\dota 2 beta\dota.exe" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\dota 2 beta\dota.exe | 
"TCP Query User{A9220734-7510-4F62-A856-7A2E6C32E545}C:\spiele\cod 2\cod2mp_s.exe" = protocol=6 | dir=in | app=c:\spiele\cod 2\cod2mp_s.exe | 
"TCP Query User{ABBA1BE4-DFAA-42AE-BE16-BA96D9EB02BA}C:\spiele\blobby\volley.exe" = protocol=6 | dir=in | app=c:\spiele\blobby\volley.exe | 
"TCP Query User{B7429E83-E3DD-4B0A-AB90-D1B7A3F9E1CF}C:\users\jonny\appdata\roaming\owym\tuni.exe" = protocol=6 | dir=in | app=c:\users\jonny\appdata\roaming\owym\tuni.exe | 
"TCP Query User{C53FA1A3-EDA8-4B3D-8721-AE79578B26D2}C:\spiele\c.s.1.6\hl.exe" = protocol=6 | dir=in | app=c:\spiele\c.s.1.6\hl.exe | 
"TCP Query User{DCEFCD2A-508F-44E2-913E-0A4FE8D1207A}C:\spiele\warcraft iii\dotalicious\dotalicious gaming client\client.exe" = protocol=6 | dir=in | app=c:\spiele\warcraft iii\dotalicious\dotalicious gaming client\client.exe | 
"TCP Query User{E81EE496-5CD5-485B-86F2-3EAA8E4494C9}C:\spiele\warcraft iii\war3.exe" = protocol=6 | dir=in | app=c:\spiele\warcraft iii\war3.exe | 
"TCP Query User{E99C3AAE-C1AD-424F-90FD-FBBB094A2C8C}C:\program files (x86)\steam\steamapps\bakacake\team fortress 2\hl2.exe" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\bakacake\team fortress 2\hl2.exe | 
"TCP Query User{F7A2F29A-B450-462E-A813-40518F941006}C:\program files (x86)\opera\opera.exe" = protocol=6 | dir=in | app=c:\program files (x86)\opera\opera.exe | 
"UDP Query User{1C919F48-B648-4115-B5C1-74A7C8E6C6C7}C:\program files (x86)\opera\opera.exe" = protocol=17 | dir=in | app=c:\program files (x86)\opera\opera.exe | 
"UDP Query User{1E05FF93-F6E2-4370-A318-35A5EA09C362}C:\users\jonny\appdata\roaming\owym\tuni.exe" = protocol=17 | dir=in | app=c:\users\jonny\appdata\roaming\owym\tuni.exe | 
"UDP Query User{347BF203-F0D2-47E5-A388-69BFB1A5484A}C:\spiele\ut3\binaries\ut3.exe" = protocol=17 | dir=in | app=c:\spiele\ut3\binaries\ut3.exe | 
"UDP Query User{4DB6233A-0531-4403-A3E8-C91673420CCD}C:\spiele\aoe ii\age2_x1\age2_x1.exe" = protocol=17 | dir=in | app=c:\spiele\aoe ii\age2_x1\age2_x1.exe | 
"UDP Query User{562D3211-3973-4601-829E-36C4AE4FC478}C:\spiele\warcraft iii\dotalicious\dotalicious gaming client\client.exe" = protocol=17 | dir=in | app=c:\spiele\warcraft iii\dotalicious\dotalicious gaming client\client.exe | 
"UDP Query User{623B766D-BCE6-4329-83FB-C0059D259B91}C:\spiele\warcraft iii\war3.exe" = protocol=17 | dir=in | app=c:\spiele\warcraft iii\war3.exe | 
"UDP Query User{62C53180-1F8E-43C1-A76E-5D0A1098439B}C:\spiele\c.s.1.6\hl.exe" = protocol=17 | dir=in | app=c:\spiele\c.s.1.6\hl.exe | 
"UDP Query User{7229102E-6F66-4124-99B4-2781460A1ECB}C:\spiele\age of empires ii\age2_x1\age2_x1.exe" = protocol=17 | dir=in | app=c:\spiele\age of empires ii\age2_x1\age2_x1.exe | 
"UDP Query User{9346600F-D8C3-4B05-9068-2600C7583379}C:\windows\syswow64\dplaysvr.exe" = protocol=17 | dir=in | app=c:\windows\syswow64\dplaysvr.exe | 
"UDP Query User{9D253098-94A1-4E45-AF11-258CAB7B9473}C:\users\jonny\appdata\roaming\voowu\ovfu.exe" = protocol=17 | dir=in | app=c:\users\jonny\appdata\roaming\voowu\ovfu.exe | 
"UDP Query User{9DB158E5-86BA-43DC-8D4C-B7BF2914DBC3}C:\users\jonny\desktop\warcraftiii (crack version)\war3.exe" = protocol=17 | dir=in | app=c:\users\jonny\desktop\warcraftiii (crack version)\war3.exe | 
"UDP Query User{A5219705-E99E-4D21-9636-47A23274B937}C:\program files (x86)\steam\steamapps\common\dota 2 beta\dota.exe" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\dota 2 beta\dota.exe | 
"UDP Query User{A8EB2C77-4ADB-4C5E-9FF8-F28BD121D56D}C:\spiele\warcraftiii (crack version)\war3.exe" = protocol=17 | dir=in | app=c:\spiele\warcraftiii (crack version)\war3.exe | 
"UDP Query User{B409BF66-62AF-4943-9BDA-9C351769854B}C:\spiele\age of empires ii 1.0c\age2_x1\age2_x1.exe" = protocol=17 | dir=in | app=c:\spiele\age of empires ii 1.0c\age2_x1\age2_x1.exe | 
"UDP Query User{B807F464-B5F1-468B-942B-8EED64FB7595}C:\spiele\blobby\volley.exe" = protocol=17 | dir=in | app=c:\spiele\blobby\volley.exe | 
"UDP Query User{B8530058-6D8B-4C3F-8490-8E848A29D6C0}C:\spiele\tmnationsforever\tmforever.exe" = protocol=17 | dir=in | app=c:\spiele\tmnationsforever\tmforever.exe | 
"UDP Query User{B92BAA7C-6C70-45F4-A382-19B9053DED5F}C:\spiele\cod 2\cod2mp_s.exe" = protocol=17 | dir=in | app=c:\spiele\cod 2\cod2mp_s.exe | 
"UDP Query User{BAEAFDE4-D136-4EAE-B359-4B40394A64FE}C:\spiele\warcraft iii\dotalicious\dotalicious gaming client\client.exe" = protocol=17 | dir=in | app=c:\spiele\warcraft iii\dotalicious\dotalicious gaming client\client.exe | 
"UDP Query User{CD3A4411-F1B6-4380-8546-98721884DEF2}C:\program files (x86)\steam\steamapps\bakacake\team fortress 2\hl2.exe" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\bakacake\team fortress 2\hl2.exe | 
"UDP Query User{D2273F3A-9A6A-41C5-8254-98DD62999123}C:\spiele\aoe 1.0c neu\age of empires ii 1.0c\age2_x1\age2_x1.exe" = protocol=17 | dir=in | app=c:\spiele\aoe 1.0c neu\age of empires ii 1.0c\age2_x1\age2_x1.exe | 
"UDP Query User{D823C7CC-95F5-40A0-85E7-1C46388FD166}C:\users\jonny\appdata\roaming\voowu\ovfu.exe" = protocol=17 | dir=in | app=c:\users\jonny\appdata\roaming\voowu\ovfu.exe | 
"UDP Query User{E1312C36-15CE-47FA-917A-9EB47A2F3BC6}C:\spiele\bloodline\binary\bloodlinechampions.exe" = protocol=17 | dir=in | app=c:\spiele\bloodline\binary\bloodlinechampions.exe | 
"UDP Query User{E2E5B9ED-093A-44D0-9BB3-10E86CD4D7B3}C:\setups\gproxyplusplus_ptr_windows_1.0\gproxy.exe" = protocol=17 | dir=in | app=c:\setups\gproxyplusplus_ptr_windows_1.0\gproxy.exe | 
"UDP Query User{EBAC20D8-6067-4579-8CE8-B433AFA41A55}C:\spiele\blobby\volley.exe" = protocol=17 | dir=in | app=c:\spiele\blobby\volley.exe | 
"UDP Query User{F5D08DEE-D8D9-41CC-870F-1B41E3880BD1}C:\users\jonny\desktop\c.s.1.6\hl.exe" = protocol=17 | dir=in | app=c:\users\jonny\desktop\c.s.1.6\hl.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{350AA351-21FA-3270-8B7A-835434E766AD}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022
"{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Systemsteuerung 275.33
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Grafiktreiber 275.33
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.3.5
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"WinRAR archiver" = WinRAR
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{19BFDA5D-1FE2-4F25-97F9-1A79DD04EE20}" = Microsoft XNA Framework Redistributable 3.1
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}" = Skype™ 6.1
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8D1E61D1-1395-4E97-997F-D002DB3A5074}" = OpenOffice.org 3.2
"{933B4015-4618-4716-A828-5289FC03165F}" = VC80CRTRedist - 8.0.50727.6195
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}" = Microsoft Primary Interoperability Assemblies 2005
"{E6DA58C0-4EC5-4F5E-B73E-2F22ED30ACFC}" = Razer Krait
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"DotAlicious Gaming Client" = DotAlicious Gaming Client
"DotAzilla" = DotAzilla
"Foxit Reader" = Foxit Reader
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.70.0.1100
"Mozilla Firefox 18.0.2 (x86 de)" = Mozilla Firefox 18.0.2 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Opera 12.02.1578" = Opera 12.02
"Steam App 240" = Counter-Strike: Source
"Steam App 570" = Dota 2
"toolplugin" = toolplugin
"Uninstall_is1" = Uninstall 1.0.0.1
"VLC media player" = VLC media player 1.1.4
"Warcraft III" = Warcraft III
"Warkeys" = Warkeys 1.16.0.0b
"WinGimp-2.0_is1" = GIMP 2.6.11
 
========== HKEY_CURRENT_USER Uninstall List ==========
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"TeamSpeak 3 Client" = TeamSpeak 3 Client
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 28.01.2013 16:53:28 | Computer Name = JONNY-PC | Source = SideBySide | ID = 16842815
Description = Fehler beim Generieren des Aktivierungskontextes für "c:\program files
 (x86)\spybot - search & destroy\DelZip179.dll". Fehler in Manifest- oder Richtliniendatei
 "c:\program files (x86)\spybot - search & destroy\DelZip179.dll" in Zeile 8.  Der
 Wert "*" des "language"-Attributs im assemblyIdentity-Element ist ungültig.
 
Error - 04.02.2013 06:57:38 | Computer Name = JONNY-PC | Source = Windows Backup | ID = 4104
Description = 
 
Error - 05.02.2013 14:07:32 | Computer Name = JONNY-PC | Source = SideBySide | ID = 16842815
Description = Fehler beim Generieren des Aktivierungskontextes für "c:\program files
 (x86)\spybot - search & destroy\DelZip179.dll". Fehler in Manifest- oder Richtliniendatei
 "c:\program files (x86)\spybot - search & destroy\DelZip179.dll" in Zeile 8.  Der
 Wert "*" des "language"-Attributs im assemblyIdentity-Element ist ungültig.
 
Error - 06.02.2013 07:14:32 | Computer Name = JONNY-PC | Source = SideBySide | ID = 16842815
Description = Fehler beim Generieren des Aktivierungskontextes für "c:\program files
 (x86)\spybot - search & destroy\DelZip179.dll". Fehler in Manifest- oder Richtliniendatei
 "c:\program files (x86)\spybot - search & destroy\DelZip179.dll" in Zeile 8.  Der
 Wert "*" des "language"-Attributs im assemblyIdentity-Element ist ungültig.
 
Error - 07.02.2013 16:05:47 | Computer Name = JONNY-PC | Source = SideBySide | ID = 16842815
Description = Fehler beim Generieren des Aktivierungskontextes für "c:\program files
 (x86)\spybot - search & destroy\DelZip179.dll". Fehler in Manifest- oder Richtliniendatei
 "c:\program files (x86)\spybot - search & destroy\DelZip179.dll" in Zeile 8.  Der
 Wert "*" des "language"-Attributs im assemblyIdentity-Element ist ungültig.
 
Error - 09.02.2013 05:08:05 | Computer Name = JONNY-PC | Source = SideBySide | ID = 16842815
Description = Fehler beim Generieren des Aktivierungskontextes für "c:\program files
 (x86)\spybot - search & destroy\DelZip179.dll". Fehler in Manifest- oder Richtliniendatei
 "c:\program files (x86)\spybot - search & destroy\DelZip179.dll" in Zeile 8.  Der
 Wert "*" des "language"-Attributs im assemblyIdentity-Element ist ungültig.
 
Error - 10.02.2013 06:10:46 | Computer Name = JONNY-PC | Source = SideBySide | ID = 16842815
Description = Fehler beim Generieren des Aktivierungskontextes für "c:\program files
 (x86)\spybot - search & destroy\DelZip179.dll". Fehler in Manifest- oder Richtliniendatei
 "c:\program files (x86)\spybot - search & destroy\DelZip179.dll" in Zeile 8.  Der
 Wert "*" des "language"-Attributs im assemblyIdentity-Element ist ungültig.
 
Error - 11.02.2013 05:15:59 | Computer Name = JONNY-PC | Source = Windows Backup | ID = 4104
Description = 
 
Error - 11.02.2013 12:12:19 | Computer Name = JONNY-PC | Source = SideBySide | ID = 16842815
Description = Fehler beim Generieren des Aktivierungskontextes für "c:\program files
 (x86)\spybot - search & destroy\DelZip179.dll". Fehler in Manifest- oder Richtliniendatei
 "c:\program files (x86)\spybot - search & destroy\DelZip179.dll" in Zeile 8.  Der
 Wert "*" des "language"-Attributs im assemblyIdentity-Element ist ungültig.
 
Error - 13.02.2013 15:26:18 | Computer Name = JONNY-PC | Source = SideBySide | ID = 16842815
Description = Fehler beim Generieren des Aktivierungskontextes für "c:\program files
 (x86)\spybot - search & destroy\DelZip179.dll". Fehler in Manifest- oder Richtliniendatei
 "c:\program files (x86)\spybot - search & destroy\DelZip179.dll" in Zeile 8.  Der
 Wert "*" des "language"-Attributs im assemblyIdentity-Element ist ungültig.
 
[ System Events ]
Error - 18.02.2013 08:56:06 | Computer Name = JONNY-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Server" abhängig, der
 aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
Error - 18.02.2013 08:58:14 | Computer Name = JONNY-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Server" abhängig, der
 aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
Error - 18.02.2013 08:58:14 | Computer Name = JONNY-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Server" abhängig, der
 aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
Error - 18.02.2013 08:58:14 | Computer Name = JONNY-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Server" abhängig, der
 aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
Error - 18.02.2013 09:03:14 | Computer Name = JONNY-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Server" abhängig, der
 aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
Error - 18.02.2013 09:03:14 | Computer Name = JONNY-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Server" abhängig, der
 aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
Error - 18.02.2013 09:03:14 | Computer Name = JONNY-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Server" abhängig, der
 aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
Error - 18.02.2013 09:05:20 | Computer Name = JONNY-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Server" abhängig, der
 aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
Error - 18.02.2013 09:05:20 | Computer Name = JONNY-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Server" abhängig, der
 aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
Error - 18.02.2013 09:05:20 | Computer Name = JONNY-PC | Source = Service Control Manager | ID = 7001
Description = Der Dienst "Computerbrowser" ist vom Dienst "Server" abhängig, der
 aufgrund folgenden Fehlers nicht gestartet wurde:   %%1068
 
 
< End of report >

Code:

ATTFilter

GMER 2.1.18952 - hxxp://www.gmer.net
Rootkit scan 2013-02-18 14:31:12
Windows 6.1.7600  x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 SAMSUNG_HD322HJ rev.1AC01112 298,09GB
Running: GMER_2.1.18952.exe; Driver: C:\Users\Jonny\AppData\Local\Temp\fgloypog.sys


---- Threads - GMER 2.1 ----

Thread  C:\Windows\System32\svchost.exe [1388:1700]  000007fef75f9688

---- EOF - GMER 2.1 ----

Code:

ATTFilter

 Malwarebytes Anti-Malware  (Test) 1.70.0.1100
www.malwarebytes.org

Datenbank Version: v2013.02.18.06

Windows 7 x64 NTFS (Abgesichertenmodus/Netzwerkfähig)
Internet Explorer 8.0.7600.16385
Jonny :: JONNY-PC [Administrator]

Schutz: Deaktiviert

18.02.2013 13:35:02
MBAM-log-2013-02-18 (13-40-53).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 227413
Laufzeit: 2 Minute(n), 51 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 7
HKCU\SOFTWARE\65MWRMP54G (Trojan.FakeAlert) -> Keine Aktion durchgeführt.
HKCU\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Keine Aktion durchgeführt.
HKCU\SOFTWARE\U36VRSFLG6 (Trojan.FakeAlert) -> Keine Aktion durchgeführt.
HKCU\SOFTWARE\XML (Trojan.FakeAlert) -> Keine Aktion durchgeführt.
HKCU\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Keine Aktion durchgeführt.
HKCU\Software\M5T8QL3YW3 (Trojan.FakeAlert) -> Keine Aktion durchgeführt.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Keine Aktion durchgeführt.

Infizierte Registrierungswerte: 4
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|ovfu.exe (Spyware.Zbot) -> Daten: C:\Users\Jonny\AppData\Roaming\Voowu\ovfu.exe -> Keine Aktion durchgeführt.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|tuni.exe (Spyware.Zbot.USBV) -> Daten: C:\Users\Jonny\AppData\Roaming\Owym\tuni.exe -> Keine Aktion durchgeführt.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Metropolis (Trojan.FakeAlert) -> Daten: rundll32.exe C:\Windows\system32\sshnas21.dll,GetHandle -> Keine Aktion durchgeführt.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|U36VRSFLG6 (Trojan.FakeAlert) -> Daten: C:\Users\Jonny\AppData\Local\Temp\Ebr.exe -> Keine Aktion durchgeführt.

Infizierte Dateiobjekte der Registrierung: 1
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (Hijack.StartPage) -> Bösartig: (hxxp://domredi.com/1/) Gut: (hxxp://www.google.com) -> Keine Aktion durchgeführt.

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 11
C:\Users\Jonny\AppData\Roaming\Voowu\ovfu.exe (Spyware.Zbot) -> Keine Aktion durchgeführt.
C:\Users\Jonny\AppData\Roaming\Owym\tuni.exe (Spyware.Zbot.USBV) -> Keine Aktion durchgeführt.
C:\Users\Jonny\AppData\Roaming\Ifycu\emta.exe (Spyware.Zbot.USBV) -> Keine Aktion durchgeführt.
C:\Users\Jonny\AppData\Local\Temp\tmp63f0a3e0\FFT1_1.exe (Spyware.Zbot.USBV) -> Keine Aktion durchgeführt.
C:\Users\Jonny\AppData\Local\Temp\tmp990b5a03\FFT1_1.exe (Spyware.Zbot.USBV) -> Keine Aktion durchgeführt.
C:\Users\Jonny\AppData\Local\Temp\tmpd6781d0b\ML1_1.exe (Spyware.Zbot.USBV) -> Keine Aktion durchgeführt.
C:\Users\Jonny\AppData\Local\Temp\tmpee4f9b20\ML1_1.exe (Spyware.Zbot.USBV) -> Keine Aktion durchgeführt.
C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job (Trojan.Downloader) -> Keine Aktion durchgeführt.
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job (Trojan.FakeAlert) -> Keine Aktion durchgeführt.
C:\Windows\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (Trojan.Downloader) -> Keine Aktion durchgeführt.
C:\Windows\Tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job (Trojan.Downloader) -> Keine Aktion durchgeführt.

(Ende)

markusg · 18.02.2013, 15:34

Hi
wird dieses Gerät für Onlinebanking, zum einkaufen, für sonstige Zahlungsabwicklungen, oder ähnlich wichtigem, wie beruflichem genutzt?

elJonny · 18.02.2013, 17:48

Ja, für Online-Banking. Kann es sein, dass jetzt jemand Zugang zu diesen Daten hat?

markusg · 18.02.2013, 18:16

Jepp.
Deswegen, Bank anrufen, Notfallnummer:
116 116
und Onlinebanking wegen Zbot Trojaner sperren lassen.
Infos über Zbot:
Der Zeus-Trojaner

Ich kann Dir niemals eine Garantie geben, dass ich auch alles finde. Eine Formatierung ist meist der Schnellere und der sicherste Weg, zumal du deinen PC
für onlinebanking, verwendest
Solltest Du Dich für eine Bereinigung entscheiden, arbeite solange mit, bis dir jemand vom Team sagt, dass Du clean bist.

Wenn es mein PC währe, würd ich ihn neu machen, aber das ist nur meine Meinung dazu, deine zehlt in diesem Falle :-)

elJonny · 19.02.2013, 15:01

Alles klar, werde Windows neu draufhauen.
Vielen Dank für die Hilfe!

markusg · 19.02.2013, 17:03

hi,
1. Datenrettung:

deaktiviere Autorun: http://www.trojaner-board.de/83238-a...sschalten.html
dann sichere Daten auf nen externen datenträger: http://www.trojaner-board.de/82533-d...ted-magic.html
Bilder, Dokumente, Musik Videos (persönliches) http://www.trojaner-board.de/71715-k...iendungen.html

2. Formatieren, Windows neu instalieren:

nutzt du eine Windows CD: http://www.trojaner-board.de/51262-a...sicherung.html
recovery cd oder recovery partition.
falls dies ein fertig pc ist, nenne hersteller + typ.
Keine Windows 7 DVD? http://www.trojaner-board.de/100776-...-download.html

3. PC absichern: http://www.trojaner-board.de/96344-a...-rechners.html
ich werde außerdem noch weitere punkte dazu posten.
4. alle Passwörter ändern!
5. nach PC Absicherung, die gesicherten Daten prüfen und falls sauber: zurückspielen.
6. werde ich dann noch was zum absichern von Onlinebanking mit Chip Card Reader + Star Money sagen.

18.02.2013, 15:34	#2
markusg /// Malware-holic	Weißer Bildschirm mit roten Rändern nach Boot Hi wird dieses Gerät für Onlinebanking, zum einkaufen, für sonstige Zahlungsabwicklungen, oder ähnlich wichtigem, wie beruflichem genutzt? __________________ __________________

Weißer Bildschirm mit roten Rändern nach Boot

Plagegeister aller Art und deren Bekämpfung: Weißer Bildschirm mit roten Rändern nach Boot