Hi,

ich hatte vor langer Zeit so ein BKA-Malware, wo eine angebliche Meldung des BKAs kam und wo ich aufgefordert wurde Paysafecard-Code oder ukash im Wert von 100€ einzutippen.
Damals hab ich einfach schnell den Prozess beim starten beendet und damit hatte ich dann vorerst keine Probleme mehr.
Dann kam eine weitere Version der Malware, die war schon hartnäckiger.
mahmud.exe hieß sie und ich konnte sie von anderen Useraccount aus löschen oder ebenfalls schnell den Prozess beenden. Hab die Datei ebenfalls gelöscht und woanders gelesen, dass dies ausreichen sollte, selbst in der Registry hab ich den versucht zu löschen, aber er kam immer wieder.
Mittlerweile hab ich 4 verschiedenartige Malwares dieser Art gesehen.
Alle anderen sind verschwunden, der aktuelle ist heute zum ersten aufgetaucht.
Dabei wird der Internet Explorer gestartet und eine Seite mit der IP hxxp://85.121.39.38 aufgerufen.
Task Manager wird gesperrt, außer ich beende beim Start ctfmon.exe, aber bin mir auch nicht sicher, ob es daran liegt.
Beim Beenden fällt mir noch auf, dass es statt einmaligen Abmeldesoud, der 2 mal auftaucht.

Warum bekomm ich immer neue Malwares dieser Art? Ich besuche keine komischen Seiten, bin meistens nur auf Facebook on.
Hab ich mir früher mal einen Rootkit eingefangen? Hab ebenfalls tdsskiller schon ausprobiert, aber hatte auch keinen Erfolg.


Lg

Hi,

kommst Du normal ins Windows? Dann:
Malwarebytes Antimalware (MAM)
Anleitung&Download hier: http://www.trojaner-board.de/51187-m...i-malware.html
Falls der Download nicht klappt, bitte hierüber eine generische Version runterladen:
http://filepony.de/download-chameleon/
Danach bitte update der Signaturdateien (Reiter "Update" -> Suche nach Aktualisierungen")
Fullscan und alles bereinigen lassen! Log posten.

Sonst:
OTL downloaden und auf einen USB-Stick kopieren, dann den Rechner im abgesicherten Modus mit Eingabeaufforderung hochfahren (F8 beim Booten drücken).
Kopiere dann die OTL.exe von dem Stick auf den Rechner (copy E:\OTL.EXE .)(wenn E Dein USB-Stick ist). Otl ausführen, Logs zurückkopieren und hier posten...

OTL
Lade Dir OTL von Oldtimer herunter (http://filepony.de/download-otl/) und speichere es auf Deinem Desktop

• Doppelklick auf die OTL.exe

• Vista/Win7 User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen

• Oben findest Du ein Kästchen mit Output. Wähle bitte Minimal Output

• Unter Extra Registry, wähle bitte Use SafeList

• Klicke nun auf Run Scan links oben

• Wenn der Scan beendet wurde werden 2 Logfiles erstellt (OTL.TXT und EXTRAS.TXT)

• Poste die Logfiles hier in den Thread

chris

Also mit dem infizierten Account nicht ganz, muss immer schnell nach der Anmeldung Task-Manager öffnen und den Prozess ctfmon.exe schließen, dann läuft alles normal.
Ansonsten kann ich den Task Manager danach nicht mehr aufrufen, er wird immer geschlossen.

Hab das Programm jetzt durchlaufen lassen, hier die Ergebnisse:

Zitat:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Datenbank Version: 8384

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.19088

17.12.2011 14:18:35
mbam-log-2011-12-17 (14-18-35).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|E:\|)
Durchsuchte Objekte: 525632
Laufzeit: 4 Stunde(n), 14 Minute(n), 59 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 2
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 7

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.FakeAlert) -> Value: Shell -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4E3E0230AEBB4E96 (Trojan.SpyEyes) -> Value: 4E3E0230AEBB4E96 -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
c:\Users\Hy-Van\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\VD8XX5PV\readme[1].exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
c:\Users\Hy-Van\AppData\Local\Temp\wpbt0.dll (Trojan.Zbot.CBCGen) -> Delete on reboot.
c:\Users\Hy-Van\AppData\Roaming\5037\components\AcroFF5.dll (Trojan.Passwords) -> Quarantined and deleted successfully.
c:\Users\Hy-Van\AppData\Roaming\5037\components\AcroFF6.dll (Trojan.Passwords) -> Quarantined and deleted successfully.
c:\Users\Hy-Van\AppData\Roaming\5037\components\AcroFF7.dll (Trojan.Passwords) -> Quarantined and deleted successfully.
c:\programdata\sysreserve.ini (Malware.Trace) -> Quarantined and deleted successfully.
c:\Users\Hy-Van\AppData\Roaming\mahmud.exe (Backdoor.Agent) -> Quarantined and deleted successfully.

Eine Datei konnte nicht gelöscht werden:

Zitat:

10:00:39 Hy-Van MESSAGE Protection started successfully
10:00:46 Hy-Van MESSAGE IP Protection started successfully
14:18:55 Hy-Van DETECTION C:\USERS\HY-VAN\APPDATA\LOCAL\TEMP\WPBT0.DLL Trojan.Zbot.CBCGen QUARANTINE
14:18:56 Hy-Van ERROR Quarantine failed: DeleteFile failed with error code 5
14:23:02 Hy-Van DETECTION C:\USERS\HY-VAN\APPDATA\LOCAL\TEMP\WPBT0.DLL Trojan.Zbot.CBCGen DENY

Reicht es aus, wenn ich sie manuell lösche?

EDIT:
Habe grad einen Neustart gemacht, nachdem ich Malewarebytes durchlaufen lies.
Windows meldet. dass SysMonitor.exe nicht mehr funktionert.
Zudem gibt RunDLL den Fehler aus, dass es einen Fehler beim laden der wpbt0.dll gab.
Also ist ein Teil der Maleware noch drauf, nehme ich an, die nur nicht auf die dll aufrufen kann?

Lg

Hi,

Du hast Trojan.Zbot.CBCGen drauf...
Poste bitte das OTL-Log...

chris

Hi,

OTL.Txt
OTL Logfile:

Code: Alles auswählenAufklappen

ATTFilter

OTL logfile created on: 18.12.2011 14:34:35 - Run 1
OTL by OldTimer - Version 3.2.31.0     Folder = C:\Users\Hy-Van\Downloads
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19088)
Locale: 00000807 | Country: Schweiz | Language: DES | Date Format: dd.MM.yyyy
 
1,75 Gb Total Physical Memory | 0,41 Gb Available Physical Memory | 23,58% Memory free
3,74 Gb Paging File | 1,65 Gb Available in Paging File | 44,04% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 62,69 Gb Total Space | 14,86 Gb Free Space | 23,70% Space Free | Partition Type: NTFS
Drive D: | 144,04 Gb Total Space | 95,90 Gb Free Space | 66,58% Space Free | Partition Type: NTFS
Drive E: | 81,60 Gb Total Space | 79,41 Gb Free Space | 97,32% Space Free | Partition Type: NTFS
Drive F: | 3,74 Gb Total Space | 3,63 Gb Free Space | 97,13% Space Free | Partition Type: FAT32
 
Computer Name: HY-VAN | User Name: Hy Van | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\Hy-Van\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Users\Hy-Van\AppData\Roaming\ICQ\Application\ICQ7.6\ICQ.exe (ICQ, LLC.)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe (TeamViewer GmbH)
PRC - C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
PRC - C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)
PRC - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE (AVM Berlin)
PRC - C:\Program Files\Windows Live\MessengerDiscovery 2\MessengerDiscovery 2.exe (Matt Holwood)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\avmwlanstick\WLanNetService.exe (AVM Berlin)
PRC - C:\Windows\System32\nvraidservice.exe (NVIDIA Corporation)
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe (Egis Incorporated)
PRC - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe (Egis Incorporated)
PRC - C:\Windows\System32\conime.exe (Microsoft Corporation)
PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
PRC - C:\Windows\WindowsMobile\wmdSync.exe (Microsoft Corporation)
PRC - C:\Acer\Empowering Technology\SysMonitor.exe ()
PRC - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe ()
PRC - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe ()
PRC - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe (Acer Inc.)
PRC - C:\Windows\System32\spool\drivers\w32x86\3\CAPPSWK.EXE (CANON INC.)
PRC - C:\Windows\System32\CAPRPCSK.EXE (CANON INC.)
PRC - C:\Program Files\avmwlanstick\FRITZWLANMini.exe (AVM Berlin)
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Program Files\Mozilla Firefox\mozjs.dll ()
MOD - C:\Program Files\FileZilla FTP Client\fzshellext.dll ()
MOD - C:\Windows\System32\Macromed\Flash\NPSWF32.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\1be8df00c8573200093245985e75a660\Microsoft.VisualBasic.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\0a1195c6b5fab213527364c9e8b26ef0\System.Web.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\1ba19f8efcff8ad7f972aa38ab9a15f5\System.Runtime.Remoting.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\aa3e053d433c48e1e8c3f436b4de1ed3\System.Configuration.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\cfb60f99da570cc494e27e0e8ee747e2\System.Xml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\381fb23cb39e1a61e13b8770eb9800ba\System.Windows.Forms.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\f1aa2385c0109f3059e0e6ba8b58ff68\System.Drawing.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9dff86a62a525ec8dc827fe9f50298b7\System.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\0309936a8e1672d39b9cf14463ce69f9\mscorlib.ni.dll ()
MOD - C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll ()
MOD - C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
MOD - C:\Program Files\OpenOffice.org 3\program\libxml2.dll ()
MOD - C:\Program Files\Windows Live\Messenger\winmm.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_de_b77a5c561934e089\mscorlib.resources.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\System.resources\2.0.0.0_de_b77a5c561934e089\System.resources.dll ()
MOD - C:\Acer\Empowering Technology\eDataSecurity\x86\ShowErrMsg.dll ()
MOD - C:\Acer\Empowering Technology\SysMonitor.exe ()
MOD - C:\Program Files\Windows Live\Messenger Plus! Live\Detoured.dll ()
 
 
========== Win32 Services (SafeList) ==========
 
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (TeamViewer6) -- C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe (TeamViewer GmbH)
SRV - (npggsvc) -- C:\Windows\System32\GameMon.des (INCA Internet Co., Ltd.)
SRV - (SwitchBoard) -- C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
SRV - (IGDCTRL) -- C:\Program Files\FRITZ!DSL\IGDCTRL.EXE (AVM Berlin)
SRV - (AVM WLAN Connection Service) -- C:\Program Files\avmwlanstick\WLanNetService.exe (AVM Berlin)
SRV - (eDataSecurity Service) -- C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe (Egis Incorporated)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (WcesComm) -- C:\Windows\WindowsMobile\wcescomm.dll (Microsoft Corporation)
SRV - (RapiMgr) -- C:\Windows\WindowsMobile\rapimgr.dll (Microsoft Corporation)
SRV - (eSettingsService) -- C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe ()
SRV - (AcerMemUsageCheckService) -- C:\Acer\Empowering Technology\ePerformance\MemCheck.exe ()
SRV - (eRecoveryService) -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe (Acer Inc.)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH)
DRV - (avkmgr) -- C:\Windows\System32\drivers\avkmgr.sys (Avira GmbH)
DRV - (MBAMProtector) -- C:\Windows\System32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (PVUSB) -- C:\Windows\System32\drivers\CESG502.SYS (Hitachi Semiconductor and Devices Sales Co.,Ltd.)
DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (ACEDRV09) -- C:\Windows\System32\drivers\ACEDRV09.sys (Protect Software GmbH)
DRV - (Uim_IM) -- C:\Windows\System32\drivers\Uim_IM.sys (Paragon)
DRV - (hotcore3) -- C:\Windows\system32\DRIVERS\hotcore3.sys (Paragon Software Group)
DRV - (UimBus) -- C:\Windows\System32\drivers\UimBus.sys (Windows (R) 2000 DDK provider)
DRV - (SSHDRV86) -- C:\Windows\System32\drivers\SSHDRV86.sys ()
DRV - (FWLANUSB) -- C:\Windows\System32\drivers\fwlanusb.sys (AVM GmbH)
DRV - (avmeject) -- C:\Windows\System32\drivers\avmeject.sys (AVM Berlin)
DRV - (nvstor32) -- C:\Windows\system32\drivers\nvstor32.sys (NVIDIA Corporation)
DRV - (nvrd32) -- C:\Windows\system32\drivers\nvrd32.sys (NVIDIA Corporation)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (winusb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
DRV - (zntport) -- C:\Windows\System32\drivers\zntport.sys (Zeal SoftStudio)
DRV - (tvicport) -- C:\Windows\System32\drivers\TVicPort.sys (EnTech Taiwan)
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvmfdx32.sys (NVIDIA Corporation)
DRV - (NVHDA) -- C:\Windows\System32\drivers\nvhda32v.sys (NVIDIA Corporation)
DRV - (nvsmu) -- C:\Windows\System32\drivers\nvsmu.sys (NVIDIA Corporation)
DRV - (int15) -- C:\Acer\Empowering Technology\eRecovery\int15.sys (Acer, Inc.)
DRV - (RapidPort) -- C:\Windows\System32\drivers\CAPLPTN.SYS (CANON INC.)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo! Deutschland
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = Yahoo! Deutschland
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = iGoogle Redirect
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = Acer.com Worldwide - Select your local country or region [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = Acer.com Worldwide - Select your local country or region [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = Babylon Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
FF - prefs.js..browser.search.defaulturl: "hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "hxxp://de.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:de:official"
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.2
FF - prefs.js..extensions.enabledItems: {c50ca3c4-5656-43c2-a061-13e717f73fc8}:3.0.8
FF - prefs.js..extensions.enabledItems: fdm_ffext@freedownloadmanager.org:1.3.4
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {c45c406e-ab73-11d8-be73-000a95be3b12}:1.1.8
FF - prefs.js..extensions.enabledItems: {2122962a-1424-fffe-19af-bba2ef3eff4a}:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..keyword.URL: "hxxp://www.google.de/#q="
 
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: D:\Programme\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{184AA5E6-741D-464a-820E-94B3ABC2F3B4}: C:\Users\Hy-Van\AppData\Roaming\5038 [2011.11.04 18:09:44 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.10.13 22:45:22 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011.04.04 05:25:38 | 000,000,000 | ---D | M]
 
[2009.03.04 21:03:55 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Hy Van\AppData\Roaming\mozilla\Extensions
[2011.11.24 13:15:42 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Hy Van\AppData\Roaming\mozilla\Firefox\Profiles\04zgeds5.default\extensions
[2009.09.02 14:05:51 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Hy Van\AppData\Roaming\mozilla\Firefox\Profiles\04zgeds5.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010.04.04 23:36:01 | 000,000,000 | ---D | M] (YouTube Downloader for Facebook) -- C:\Users\Hy Van\AppData\Roaming\mozilla\Firefox\Profiles\04zgeds5.default\extensions\{2122962a-1424-fffe-19af-bba2ef3eff4a}
[2011.11.24 13:15:42 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Hy Van\AppData\Roaming\mozilla\Firefox\Profiles\04zgeds5.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011.09.06 12:48:07 | 000,000,000 | ---D | M] (FlashFirebug) -- C:\Users\Hy Van\AppData\Roaming\mozilla\Firefox\Profiles\04zgeds5.default\extensions\flashfirebug@o-minds.com
[2011.11.24 13:15:37 | 000,000,000 | ---D | M] (FoxyProxy Standard) -- C:\Users\Hy Van\AppData\Roaming\mozilla\Firefox\Profiles\04zgeds5.default\extensions\foxyproxy@eric.h.jung
[2010.06.25 15:05:58 | 000,002,059 | ---- | M] () -- C:\Users\Hy Van\AppData\Roaming\Mozilla\Firefox\Profiles\04zgeds5.default\searchplugins\daemon-search.xml
[2011.08.09 22:55:57 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011.09.26 15:51:07 | 000,000,000 | ---D | M] (Click to call with Skype) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2010.05.18 04:39:35 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010.09.19 08:31:26 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010.10.17 04:34:45 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010.12.21 06:43:20 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011.02.20 10:34:28 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011.08.09 22:55:58 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}
[2011.05.01 04:38:00 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\distribution\extensions
[2011.05.01 04:38:00 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Program Files\Mozilla Firefox\distribution\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
() (No name found) -- C:\USERS\HY VAN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\04ZGEDS5.DEFAULT\EXTENSIONS\{888D99E7-E8B5-46A3-851E-1EC45DA1E644}.XPI
() (No name found) -- C:\USERS\HY VAN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\04ZGEDS5.DEFAULT\EXTENSIONS\{9C51BD27-6ED8-4000-A2BF-36CB95C0C947}.XPI
() (No name found) -- C:\USERS\HY VAN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\04ZGEDS5.DEFAULT\EXTENSIONS\{C45C406E-AB73-11D8-BE73-000A95BE3B12}.XPI
() (No name found) -- C:\USERS\HY VAN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\04ZGEDS5.DEFAULT\EXTENSIONS\{C50CA3C4-5656-43C2-A061-13E717F73FC8}.XPI
() (No name found) -- C:\USERS\HY VAN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\04ZGEDS5.DEFAULT\EXTENSIONS\FIREBUG@SOFTWARE.JOEHEWITT.COM.XPI
[2011.11.04 18:09:44 | 000,000,000 | ---D | M] (Java String Helper) -- C:\USERS\HY-VAN\APPDATA\ROAMING\5038
[2011.08.31 22:24:31 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011.08.09 22:55:37 | 000,611,224 | ---- | M] (Oracle Corporation) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011.08.31 22:24:29 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2010.04.08 15:45:57 | 000,002,191 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
[2011.08.31 22:24:29 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2009.09.21 12:24:16 | 000,001,329 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\crawlersrch.xml
[2011.08.31 22:24:29 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2011.08.31 22:24:29 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2011.08.31 22:24:29 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2011.08.31 22:24:29 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2006.09.18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (FDMIECookiesBHO Class) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Programme\Free Download Manager\iefdm2.dll ()
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
O4 - HKLM..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe ()
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin File not found
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [AVMWlanClient] C:\Program Files\avmwlanstick\FRITZWLANMini.exe (AVM Berlin)
O4 - HKLM..\Run: [CAPON] C:\Windows\System32\spool\drivers\w32x86\3\CAPONN.EXE (CANON INC.)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe (Egis Incorporated)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NVRaidService] C:\Windows\System32\nvraidservice.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [PCMMediaSharing] C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe File not found
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdSync.exe (Microsoft Corporation)
O4 - HKCU..\Run: [2F7ZUJ7G2IWWUB5WQXTNWQFN] C:\SystemData\217FA966C5A.exe /q File not found
O4 - HKCU..\Run: [avupdate]  File not found
O4 - HKCU..\Run: [Free Download Manager] D:\Programme\Free Download Manager\fdm.exe (FreeDownloadManager.ORG)
O4 - HKCU..\Run: [ICQ] C:\Program Files\ICQ7.5\ICQ.exe (ICQ, LLC.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O8 - Extra context menu item: Alles mit FDM herunterladen - D:\Programme\Free Download Manager\dlall.htm ()
O8 - Extra context menu item: Auswahl mit FDM herunterladen - D:\Programme\Free Download Manager\dlselected.htm ()
O8 - Extra context menu item: Datei mit FDM herunterladen - D:\Programme\Free Download Manager\dllink.htm ()
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html File not found
O8 - Extra context menu item: Videos mit FDM herunterladen - D:\Programme\Free Download Manager\dlfvideo.htm ()
O9 - Extra Button: ICQ7.5 - {7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - C:\Program Files\ICQ7.5\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ7.5 - {7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - C:\Program Files\ICQ7.5\ICQ.exe (ICQ, LLC.)
O9 - Extra Button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O13 - gopher Prefix: missing
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/de/uno1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab (Java Plug-in 10.0.0)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab (Java Plug-in 1.7.0)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab (Java Plug-in 1.7.0)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{222A2779-18E8-455C-95EA-E2D93937ED1A}: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2FC76DB2-719C-4570-9177-8E5A30E0FE49}: DhcpNameServer = 192.168.178.1
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{4231dbd8-4768-11de-89e1-00218532014d}\Shell - "" = AutoRun
O33 - MountPoints2\{4231dbd8-4768-11de-89e1-00218532014d}\Shell\AutoRun\command - "" = L:\pushinst.exe
O33 - MountPoints2\L\Shell - "" = AutoRun
O33 - MountPoints2\L\Shell\AutoRun\command - "" = L:\pushinst.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2011.12.17 09:58:49 | 000,000,000 | ---D | C] -- C:\Users\Hy Van\AppData\Roaming\Malwarebytes
[2011.12.17 09:58:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011.12.17 09:58:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011.12.17 09:58:00 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011.12.17 09:57:59 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011.12.17 09:37:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
[2011.12.17 09:36:57 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys
[2011.12.17 09:36:54 | 000,134,856 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys
[2011.12.17 09:36:54 | 000,074,640 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys
[2011.12.17 09:36:54 | 000,036,000 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avkmgr.sys
[2011.12.17 09:36:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira
[2011.12.17 09:36:50 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2011.12.13 22:22:08 | 000,000,000 | ---D | C] -- C:\Users\Hy Van\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HOXChess
[2011.12.13 22:22:07 | 000,000,000 | ---D | C] -- C:\Program Files\HOXChess
[2011.12.07 18:28:55 | 000,000,000 | ---D | C] -- C:\Program Files\Iomega
[2011.11.30 22:48:01 | 000,000,000 | ---D | C] -- C:\EGIS_Drive
[2011.11.26 11:08:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MySQL
[2011.11.25 23:16:07 | 000,000,000 | -HSD | C] -- C:\found.000
[2011.11.23 19:07:30 | 000,000,000 | ---D | C] -- C:\Program Files\MySQL
[2009.03.03 21:50:33 | 000,016,384 | ---- | C] ( ) -- C:\Windows\System32\ClearEvent.exe
[2009.02.27 18:58:54 | 000,049,152 | ---- | C] ( ) -- C:\Windows\INTEROP.IWSHRUNTIMELIBRARY.DLL
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2011.12.18 14:16:31 | 004,719,822 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2011.12.18 14:16:31 | 001,452,284 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2011.12.18 14:16:31 | 001,364,772 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011.12.18 14:16:31 | 001,199,186 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011.12.18 14:10:43 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011.12.18 14:10:03 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011.12.18 14:10:03 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011.12.18 14:09:59 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011.12.18 14:09:54 | 1878,130,688 | -HS- | M] () -- C:\hiberfil.sys
[2011.12.17 14:09:07 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011.12.17 09:58:08 | 000,000,870 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011.12.17 09:37:09 | 000,001,851 | ---- | M] () -- C:\Users\Public\Desktop\Avira Control Center.lnk
[2011.12.17 02:11:37 | 000,000,250 | ---- | M] () -- C:\Users\Hy Van\mm.cfg
[2011.12.09 12:40:20 | 000,134,856 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys
[2011.12.09 12:40:20 | 000,074,640 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys
[2011.12.09 12:40:20 | 000,036,000 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avkmgr.sys
[2011.11.26 14:22:09 | 003,703,440 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011.11.20 19:11:15 | 000,001,975 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2011.12.17 09:58:08 | 000,000,870 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011.12.17 09:37:09 | 000,001,851 | ---- | C] () -- C:\Users\Public\Desktop\Avira Control Center.lnk
[2011.12.16 16:48:46 | 1878,130,688 | -HS- | C] () -- C:\hiberfil.sys
[2011.10.12 09:35:26 | 000,000,127 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2011.08.10 09:18:50 | 000,000,058 | ---- | C] () -- C:\Users\Hy Van\AppData\Roaming\you.bmp
[2010.12.08 06:36:08 | 000,794,906 | ---- | C] () -- C:\Windows\unins000.exe
[2010.12.08 06:36:08 | 000,004,152 | ---- | C] () -- C:\Windows\unins000.dat
[2010.06.25 15:57:05 | 000,022,328 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2010.06.25 15:57:05 | 000,022,328 | ---- | C] () -- C:\Users\Hy Van\AppData\Roaming\PnkBstrK.sys
[2010.06.25 15:56:49 | 000,103,736 | ---- | C] () -- C:\Windows\System32\PnkBstrB.exe
[2010.06.25 15:56:47 | 000,066,872 | ---- | C] () -- C:\Windows\System32\PnkBstrA.exe
[2010.06.25 15:56:46 | 000,000,266 | ---- | C] () -- C:\Windows\game.ini
[2010.06.11 22:15:39 | 000,000,032 | R--- | C] () -- C:\ProgramData\hash.dat
[2010.02.25 22:06:28 | 000,016,070 | ---- | C] () -- C:\Windows\German2.ini
[2010.02.25 22:06:26 | 000,446,464 | ---- | C] () -- C:\Windows\System32\Tx32.dll
[2010.02.25 22:06:26 | 000,000,151 | ---- | C] () -- C:\Windows\System32\ic32.ini
[2009.07.10 16:12:27 | 000,000,680 | ---- | C] () -- C:\Users\Hy Van\AppData\Local\d3d9caps.dat
[2009.06.19 15:16:02 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2009.06.08 16:22:04 | 000,081,408 | ---- | C] () -- C:\Windows\System32\drivers\SSHDRV86.sys
[2009.05.23 08:16:40 | 000,097,360 | ---- | C] () -- C:\Windows\System32\drivers\Fwusb1b.bin
[2009.04.16 17:45:55 | 001,868,944 | ---- | C] () -- C:\Windows\System32\RSA32_16.DLL
[2009.03.05 16:37:15 | 000,032,256 | ---- | C] () -- C:\Users\Hy Van\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009.03.04 05:03:44 | 000,013,576 | ---- | C] () -- C:\Windows\System32\wnaspi32.dll
[2009.03.03 21:51:32 | 000,077,824 | ---- | C] () -- C:\Windows\System32\drivers\INT15_DETECT.EXE
[2009.03.03 21:50:34 | 000,016,384 | ---- | C] () -- C:\Windows\System32\LauncheRyAgentUser.exe
[2008.11.06 17:37:32 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2008.03.21 23:49:55 | 000,001,024 | RH-- | C] () -- C:\Windows\System32\NTIBUN4.dll
[2008.03.21 22:05:48 | 000,001,108 | ---- | C] () -- C:\Windows\generic.ini
[2008.03.21 22:05:48 | 000,000,138 | ---- | C] () -- C:\Windows\Alaunch.ini
[2008.03.21 15:18:28 | 000,015,656 | ---- | C] () -- C:\Windows\System32\drivers\int15_64.sys
[2008.03.21 14:19:12 | 000,001,732 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
[2008.01.21 08:15:58 | 004,719,822 | ---- | C] () -- C:\Windows\System32\perfh007.dat
[2008.01.21 08:15:58 | 001,452,284 | ---- | C] () -- C:\Windows\System32\perfc007.dat
[2008.01.21 08:15:58 | 000,290,748 | ---- | C] () -- C:\Windows\System32\perfi007.dat
[2008.01.21 08:15:58 | 000,036,916 | ---- | C] () -- C:\Windows\System32\perfd007.dat
[2008.01.21 03:24:14 | 000,100,043 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2006.11.02 13:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006.11.02 13:47:37 | 003,703,440 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006.11.02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006.11.02 11:33:01 | 001,364,772 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006.11.02 11:33:01 | 001,199,186 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006.11.02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006.11.02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006.11.02 11:25:25 | 000,557,568 | ---- | C] () -- C:\Windows\System32\hpotscld.dll
[2006.11.02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006.11.02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006.11.02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006.11.02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006.11.02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006.11.02 08:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2002.07.31 21:32:03 | 000,056,832 | ---- | C] () -- C:\Windows\System32\iyvu9_32.dll
[2001.12.26 15:12:30 | 000,065,536 | ---- | C] () -- C:\Windows\System32\multiplex_vcd.dll
[2001.09.03 22:46:38 | 000,110,592 | ---- | C] () -- C:\Windows\System32\Hmpg12.dll
[2001.07.30 15:33:56 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC.dll
[2001.07.23 21:04:36 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC_MMX.dll
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 98 bytes -> C:\ProgramData\TEMP:9F683177
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:4BB26BE9
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:2B99FE60
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:C95B63DA
@Alternate Data Stream - 112 bytes -> C:\ProgramData\TEMP:8CE646EE
@Alternate Data Stream - 107 bytes -> C:\ProgramData\TEMP:8173A019
@Alternate Data Stream - 106 bytes -> C:\ProgramData\TEMP:B623B5B8

< End of report >
         

--- --- ---


Extras.Txt
OTL Logfile:

Code: Alles auswählenAufklappen

ATTFilter

OTL Extras logfile created on: 18.12.2011 14:34:35 - Run 1
OTL by OldTimer - Version 3.2.31.0     Folder = C:\Users\Hy-Van\Downloads
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19088)
Locale: 00000807 | Country: Schweiz | Language: DES | Date Format: dd.MM.yyyy
 
1,75 Gb Total Physical Memory | 0,41 Gb Available Physical Memory | 23,58% Memory free
3,74 Gb Paging File | 1,65 Gb Available in Paging File | 44,04% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 62,69 Gb Total Space | 14,86 Gb Free Space | 23,70% Space Free | Partition Type: NTFS
Drive D: | 144,04 Gb Total Space | 95,90 Gb Free Space | 66,58% Space Free | Partition Type: NTFS
Drive E: | 81,60 Gb Total Space | 79,41 Gb Free Space | 97,32% Space Free | Partition Type: NTFS
Drive F: | 3,74 Gb Total Space | 3,63 Gb Free Space | 97,13% Space Free | Partition Type: FAT32
 
Computer Name: HY-VAN | User Name: Hy Van | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [Bridge] -- C:\Program Files\Adobe\Adobe Bridge CS5.1\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"AntiVirusDisableNotify" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Acer\Empowering Technology\eDataSecurity\x86\eDSfsu.exe" = C:\Acer\Empowering Technology\eDataSecurity\x86\eDSfsu.exe:*:Enabled:eDSfsu -- (Egis Incorporated.)
"C:\Acer\Empowering Technology\eDataSecurity\x86\encryption.exe" = C:\Acer\Empowering Technology\eDataSecurity\x86\encryption.exe:*:Enabled:encryption -- ( Egis Incorporated.)
"C:\Acer\Empowering Technology\eDataSecurity\x86\decryption.exe" = C:\Acer\Empowering Technology\eDataSecurity\x86\decryption.exe:*:Enabled:decryption -- ( Egis Incorporated.)
"C:\Acer\Empowering Technology\eDataSecurity\x86\eDSMgr.exe" = C:\Acer\Empowering Technology\eDataSecurity\x86\eDSMgr.exe:*:Enabled:eDSMgr
"C:\Acer\Empowering Technology\eDataSecurity\x86\eDStbmngr.exe" = C:\Acer\Empowering Technology\eDataSecurity\x86\eDStbmngr.exe:*:Enabled:eDStbmngr -- (Egis Incorporated.)
"C:\Acer\Empowering Technology\eDataSecurity\x64\eDSfsu.exe" = C:\Acer\Empowering Technology\eDataSecurity\x64\eDSfsu.exe:*:Enabled:eDSfsu -- (Egis Incorporated.)
"C:\Acer\Empowering Technology\eDataSecurity\x64\encryption.exe" = C:\Acer\Empowering Technology\eDataSecurity\x64\encryption.exe:*:Enabled:encryption
"C:\Acer\Empowering Technology\eDataSecurity\x64\decryption.exe" = C:\Acer\Empowering Technology\eDataSecurity\x64\decryption.exe:*:Enabled:decryption
"C:\Acer\Empowering Technology\eDataSecurity\x64\eDSMgr.exe" = C:\Acer\Empowering Technology\eDataSecurity\x64\eDSMgr.exe:*:Enabled:eDSMgr
"C:\Acer\Empowering Technology\eDataSecurity\x64\eDStbmngr.exe" = C:\Acer\Empowering Technology\eDataSecurity\x64\eDStbmngr.exe:*:Enabled:eDStbmngr -- (Egis Incorporated.)
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0188F05A-4895-418C-965B-49B9DF55BE92}" = lport=2869 | protocol=6 | dir=in | app=system | 
"{0E472708-639A-4975-B22C-C4378C466903}" = rport=445 | protocol=6 | dir=out | app=system | 
"{222C4B6C-CBD5-4BEE-8D31-A64BAE3F0401}" = lport=808 | protocol=6 | dir=in | svc=nettcpactivator | app=c:\windows\microsoft.net\framework\v4.0.30319\smsvchost.exe | 
"{239EF6C9-8903-4EA7-822F-C285174843FE}" = lport=5000 | protocol=17 | dir=in | name=akamai netsession interface | 
"{2ADC68E1-9372-4B5D-BF2E-29EA1FA2B16E}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe | 
"{41C3B779-F366-4E4E-9ED8-C8A83E7CAE09}" = lport=137 | protocol=17 | dir=in | app=system | 
"{42F94E2E-5CC9-470E-ACB3-51FE6D0D2088}" = rport=137 | protocol=17 | dir=out | app=system | 
"{5163AD77-622D-4D23-90FF-99E44835AAD4}" = rport=10243 | protocol=6 | dir=out | app=system | 
"{678D8660-ACD1-4F9D-8A13-2CA7A1ACCE43}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{6C386D1A-0DF8-412E-9EA2-EF105C55505C}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | 
"{76DC8764-B94E-4C7E-B8AF-A6B08DC84496}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{77099DA7-882A-43EE-ADF6-EBFDF6287587}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | 
"{7F4D9947-AE1A-4C6F-8B4E-C03E8E90A490}" = lport=49179 | protocol=6 | dir=in | name=akamai netsession interface | 
"{8DE662E8-2F47-49E8-998E-558FACFC1D36}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{9219A2EC-F52A-4109-96B8-609388531A6E}" = lport=445 | protocol=6 | dir=in | app=system | 
"{947577D7-2004-4E8F-946E-84196376A177}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{A1F17C22-5905-4B11-B4E4-14B0400F5238}" = rport=139 | protocol=6 | dir=out | app=system | 
"{A919B4A2-917D-46E9-9813-9BD3B6E481CD}" = lport=139 | protocol=6 | dir=in | app=system | 
"{B50B1DD5-275E-481A-BD24-49C884B3E7AF}" = rport=138 | protocol=17 | dir=out | app=system | 
"{C2BC5A0B-7FD5-4CCC-A75B-B9ACDD1A25B6}" = lport=2869 | protocol=6 | dir=in | app=system | 
"{C7AC7319-76F0-479E-B5F1-8B058EEB0409}" = lport=138 | protocol=17 | dir=in | app=system | 
"{CA68005D-FBF7-4128-AA37-B40958398CE4}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{EF59D28C-9226-42EB-AF43-22EB2A3305B5}" = lport=10243 | protocol=6 | dir=in | app=system | 
"{FDF418E4-1D9D-4272-9FF5-FC6FC8A85DA9}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{058A90AA-5F0A-4124-9687-23480D142C6D}" = protocol=17 | dir=in | app=c:\program files\icq7.5\icq.exe | 
"{06217170-F304-41DC-9751-F7D58EA2C706}" = protocol=17 | dir=in | app=c:\program files\fritz!dsl\igdctrl.exe | 
"{0B9E0E14-8B34-4583-9526-0001E0AD77EB}" = protocol=17 | dir=in | app=c:\program files\microsoft games\age of empires iii\age3y.exe | 
"{0E88D9A3-7195-46B0-91A2-9F037CD89009}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe | 
"{16253BB2-B327-45CC-97D4-C486B8E367B2}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{16DACA48-F089-458D-AA96-674675EB73CA}" = protocol=6 | dir=in | app=c:\program files\icq7.5\icq.exe | 
"{1702864C-70C1-40B8-90DF-E0A2C6374BC4}" = protocol=6 | dir=in | app=c:\program files\fritz!dsl\igdctrl.exe | 
"{1909AC47-C586-40D5-AE62-7A79589C1579}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | 
"{27863206-1F4F-406B-A60C-E989F9C37452}" = protocol=17 | dir=in | app=c:\program files\teamviewer\version6\teamviewer.exe | 
"{27F11F75-83C7-4830-990F-19CA9471EAF0}" = protocol=17 | dir=in | app=c:\users\hy-van\appdata\local\akamai\netsession_win.exe | 
"{35AC9C76-DD55-42F7-92C1-8744F2814A97}" = protocol=6 | dir=in | app=c:\program files\fritz!dsl\fboxupd.exe | 
"{3E01C8B3-2455-40AA-AA18-6EC8D65C8702}" = protocol=17 | dir=in | app=c:\program files\teamviewer\version6\teamviewer_service.exe | 
"{47D37723-D82C-4354-923C-BE9B6B44104D}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{4D6AD0F3-AC13-4983-AE04-E3BF6C3E9FC4}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{53ADDD97-FA3A-47C4-9882-D4C73240ABE3}" = protocol=6 | dir=in | app=c:\program files\microsoft games\age of empires iii\age3y.exe | 
"{53CE8B05-D7AF-4D49-80A1-93FFCA45D4AD}" = protocol=17 | dir=in | app=c:\program files\icq7.5\icq.exe | 
"{5404A967-FCEC-4F7C-B6C1-6F5B668505E1}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{5611C9F0-A39D-4256-AFD2-5B2BAB989902}" = protocol=6 | dir=in | app=c:\program files\alaplaya\s4league\patcher_s4.exe | 
"{5CC684E4-DDDE-4743-9B64-643E3EC81758}" = protocol=6 | dir=out | app=system | 
"{6DA632D9-98FE-4590-9C5F-4F6317C9D8F4}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstrb.exe | 
"{75719D2D-FA7D-495B-B7EB-EF4F0A9864B5}" = protocol=17 | dir=in | app=c:\program files\alaplaya\s4league\patcher_s4.exe | 
"{75C2B8E8-A78E-4354-AAC2-1F212BFF920B}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{792A881A-CA4E-4D89-B821-4CB1363E88E4}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{85E433EA-D4B1-466C-952F-F593FD08782C}" = protocol=6 | dir=in | app=c:\program files\teamviewer\version6\teamviewer_service.exe | 
"{86955A5D-5849-4EE2-BE8A-EF1F54B20846}" = protocol=6 | dir=in | app=d:\programme\css\hl2.exe | 
"{876C7857-7A82-4171-A41E-4B5CB43AE263}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | 
"{8977D207-A112-4FEC-A58C-5996DFC0B053}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{91F28CAB-A124-439B-BC10-F07310B71A23}" = protocol=6 | dir=in | app=c:\users\hy-van\appdata\local\akamai\netsession_win.exe | 
"{97BB13F9-D238-46E3-86EF-772A5F2735D8}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe | 
"{9C8142F4-3648-499D-B2E0-8C78983BE8CD}" = protocol=17 | dir=in | app=c:\program files\fritz!dsl\webwaigd.exe | 
"{AB988D23-B871-49CB-B7BB-CBC8A0D4B611}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe | 
"{BB437405-F3A2-4056-AE31-00AE927C0629}" = protocol=17 | dir=in | app=d:\programme\css\hl2.exe | 
"{D0A185EC-8C3B-4536-8E7A-142AFB5D4AC7}" = dir=in | app=c:\program files\skype\phone\skype.exe | 
"{D18F00D8-B3D8-4A44-B854-209E13A0E796}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{D64B9BE2-AD71-472C-9DB8-D2D6810FAB82}" = dir=in | app=c:\program files\acer arcade live\acer homemedia connect\acer homemedia connect.exe | 
"{DDB2527A-E9DF-4172-B069-F436B6B628E5}" = protocol=6 | dir=in | app=c:\program files\fritz!dsl\webwaigd.exe | 
"{DEBBD6C8-6BAC-4AC1-9AB5-933F0CEFDD07}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | 
"{E2DAB2B8-286C-4551-9966-9E645B392926}" = protocol=17 | dir=in | app=c:\program files\fritz!dsl\fboxupd.exe | 
"{E40B496B-0214-4B50-8FD3-FCB3A2AD2F54}" = protocol=6 | dir=in | app=c:\program files\teamviewer\version6\teamviewer.exe | 
"{E88CB85E-5FA1-4349-9FA9-8AD5F40640BA}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstra.exe | 
"{E88ED7F0-9A41-4093-B4DA-17879AF2BCEE}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{EC7B0A38-593D-4E83-BF71-786DFCA4FEF8}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{ECE8B197-C77F-47BE-8D91-E3AC6AACDEE2}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstra.exe | 
"{EE67D0E5-D77E-4585-8154-E1D3CC9E85CC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | 
"{F9FF3881-F509-443C-BAC3-54F3228A8B66}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstrb.exe | 
"{FA5C780E-0691-4527-8119-330E01097A78}" = protocol=6 | dir=in | app=c:\program files\icq7.5\icq.exe | 
"{FA7C6DF1-59B4-4F66-808A-CB49382C3125}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | 
"TCP Query User{00B6A17E-F9E3-4924-9AFF-A70719D511DB}D:\programme\age of empires 2 & the conquerors expansion - full game\empires2.exe" = protocol=6 | dir=in | app=d:\programme\age of empires 2 & the conquerors expansion - full game\empires2.exe | 
"TCP Query User{0833C595-AB29-4526-93D1-C8E2D4492FC8}D:\programme\littlefighter\r-lf2\lf2.exe" = protocol=6 | dir=in | app=d:\programme\littlefighter\r-lf2\lf2.exe | 
"TCP Query User{0A90721B-2E08-4527-963B-D1CED9C13809}C:\program files\age of empires iii\age3y.exe" = protocol=6 | dir=in | app=c:\program files\age of empires iii\age3y.exe | 
"TCP Query User{1092D92A-4755-45CE-AA41-BEE7ACC4EA4E}C:\users\hy van\desktop\123boxl4dxers\left 4 dead\left4dead.exe" = protocol=6 | dir=in | app=c:\users\hy van\desktop\123boxl4dxers\left 4 dead\left4dead.exe | 
"TCP Query User{13DC9E25-D15A-4449-AB7C-1FD50A73939A}J:\empire earth\empire earth\empire earth.exe" = protocol=6 | dir=in | app=j:\empire earth\empire earth\empire earth.exe | 
"TCP Query User{18E583D1-AC0C-4A84-A76E-CDFEC0B61B93}D:\programme\empire earth\empire earth.exe" = protocol=6 | dir=in | app=d:\programme\empire earth\empire earth.exe | 
"TCP Query User{294DE7B5-817F-4331-90CA-6D98B23BFC5D}C:\users\hy-van\appdata\roaming\icq\application\icq7.6\icq.exe" = protocol=6 | dir=in | app=c:\users\hy-van\appdata\roaming\icq\application\icq7.6\icq.exe | 
"TCP Query User{40FF3917-8364-417A-A5AB-3A3F461A3EE8}D:\programme\littlefighter\lf2\lf2.exe" = protocol=6 | dir=in | app=d:\programme\littlefighter\lf2\lf2.exe | 
"TCP Query User{465636D4-8B89-4D8A-B7FA-B58845C9220D}C:\users\hy van\desktop\empire earth\empire earth\empire earth.exe" = protocol=6 | dir=in | app=c:\users\hy van\desktop\empire earth\empire earth\empire earth.exe | 
"TCP Query User{494CC28B-03B1-480A-ADF2-3787AF0E7832}D:\programme\age of empires 2 & the conquerors expansion - full game\empires2.exe" = protocol=6 | dir=in | app=d:\programme\age of empires 2 & the conquerors expansion - full game\empires2.exe | 
"TCP Query User{609F4B9C-46BF-426B-828F-B67904B0E3A3}C:\program files\lucasarts\star wars jk ii jedi outcast\gamedata\jk2mp.exe" = protocol=6 | dir=in | app=c:\program files\lucasarts\star wars jk ii jedi outcast\gamedata\jk2mp.exe | 
"TCP Query User{66A2EEE2-7EA7-45BE-AF64-8AA0C13608C3}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe | 
"TCP Query User{68555440-6672-4664-8E49-562AF154EF23}D:\programme\valve\hl.exe" = protocol=6 | dir=in | app=d:\programme\valve\hl.exe | 
"TCP Query User{8186B866-1129-4539-9EF3-A4CB5B9DFD32}D:\xampp\apache\bin\httpd.exe" = protocol=6 | dir=in | app=d:\xampp\apache\bin\httpd.exe | 
"TCP Query User{8660E4E7-FD70-428B-B647-2D1681636062}D:\programme\farmhelper\fvbot.exe" = protocol=6 | dir=in | app=d:\programme\farmhelper\fvbot.exe | 
"TCP Query User{8704310C-9122-4BC3-90F4-6D8DE845C19B}D:\programme\age of empires 2 & the conquerors expansion - full game\age2_x1.exe" = protocol=6 | dir=in | app=d:\programme\age of empires 2 & the conquerors expansion - full game\age2_x1.exe | 
"TCP Query User{90BB1C46-8582-42AE-B3D6-DB9C2DFDC4B7}C:\windows\system32\dplaysvr.exe" = protocol=6 | dir=in | app=c:\windows\system32\dplaysvr.exe | 
"TCP Query User{9952A9B1-12CF-4309-8A3B-320BA267D966}C:\program files\qianhong\qianhong.exe" = protocol=6 | dir=in | app=c:\program files\qianhong\qianhong.exe | 
"TCP Query User{9CE9E465-C722-42F6-89AA-E19E65A59ECA}D:\programme\age of empires 2 & the conquerors expansion - full game\age2_x1.exe" = protocol=6 | dir=in | app=d:\programme\age of empires 2 & the conquerors expansion - full game\age2_x1.exe | 
"TCP Query User{B3BCAAED-2A95-4867-8F73-261EAFA30C45}D:\xampp\mysql\bin\mysqld.exe" = protocol=6 | dir=in | app=d:\xampp\mysql\bin\mysqld.exe | 
"TCP Query User{B731583F-FC11-49F9-9670-87694492B3B9}D:\programme\metin2\metin2.bin" = protocol=6 | dir=in | app=d:\programme\metin2\metin2.bin | 
"TCP Query User{C11DB4F4-9844-435D-8B5E-FEB3EB8A8527}C:\users\hy van\desktop\empire earth\empire earth.exe" = protocol=6 | dir=in | app=c:\users\hy van\desktop\empire earth\empire earth.exe | 
"TCP Query User{C5863B5C-E972-42E5-B6E8-1D133D71086A}C:\program files\turbonote\tbnote.exe" = protocol=6 | dir=in | app=c:\program files\turbonote\tbnote.exe | 
"TCP Query User{DB062867-064F-4148-B2BA-1F81BA678B04}C:\program files\empire earth\empire earth.exe" = protocol=6 | dir=in | app=c:\program files\empire earth\empire earth.exe | 
"TCP Query User{DED1F2B5-8478-4F60-92C2-4396A55A37D6}D:\programme\littlefighter\r-lf2\lf2.exe" = protocol=6 | dir=in | app=d:\programme\littlefighter\r-lf2\lf2.exe | 
"TCP Query User{E1C47D99-C599-4526-BD22-87FF13D12FD7}D:\programme\valve\hl.exe" = protocol=6 | dir=in | app=d:\programme\valve\hl.exe | 
"TCP Query User{E642D800-1418-4776-B1D3-E6880659142E}C:\program files\turbonote\tbnote.exe" = protocol=6 | dir=in | app=c:\program files\turbonote\tbnote.exe | 
"TCP Query User{EC7AF09C-3CD3-43AA-A5C0-BCAFE9AA25D2}D:\programme\css\hl2.exe" = protocol=6 | dir=in | app=d:\programme\css\hl2.exe | 
"TCP Query User{F8D3D2DF-6D64-4653-B731-BE16379F4CF1}C:\program files\icq7.5\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq7.5\icq.exe | 
"UDP Query User{058BD50D-AC67-49E8-80B2-14835270DCE2}C:\program files\turbonote\tbnote.exe" = protocol=17 | dir=in | app=c:\program files\turbonote\tbnote.exe | 
"UDP Query User{0BE339DA-4FB9-401F-9863-EDFC629BF403}D:\programme\empire earth\empire earth.exe" = protocol=17 | dir=in | app=d:\programme\empire earth\empire earth.exe | 
"UDP Query User{1DC062B8-5C15-4FFA-B574-6A20D1F3B7ED}D:\xampp\apache\bin\httpd.exe" = protocol=17 | dir=in | app=d:\xampp\apache\bin\httpd.exe | 
"UDP Query User{226D34F8-B3C5-4FED-A604-F525DD3E3AA2}C:\windows\system32\dplaysvr.exe" = protocol=17 | dir=in | app=c:\windows\system32\dplaysvr.exe | 
"UDP Query User{2906C36F-C57A-4BFA-AA5D-7E5B8EFE4F9D}C:\program files\empire earth\empire earth.exe" = protocol=17 | dir=in | app=c:\program files\empire earth\empire earth.exe | 
"UDP Query User{291C7FF5-BC57-4BB3-822A-12CE8C6C9D1F}D:\programme\metin2\metin2.bin" = protocol=17 | dir=in | app=d:\programme\metin2\metin2.bin | 
"UDP Query User{30DF5D61-AF91-4D3D-AD41-796ED7F99B3D}D:\programme\css\hl2.exe" = protocol=17 | dir=in | app=d:\programme\css\hl2.exe | 
"UDP Query User{33D414BC-63FA-40BC-A8B7-2E53BE4A913B}C:\users\hy van\desktop\empire earth\empire earth.exe" = protocol=17 | dir=in | app=c:\users\hy van\desktop\empire earth\empire earth.exe | 
"UDP Query User{3676D717-7A25-432F-963C-7BD4D2FBCC24}D:\programme\littlefighter\lf2\lf2.exe" = protocol=17 | dir=in | app=d:\programme\littlefighter\lf2\lf2.exe | 
"UDP Query User{3F92352D-885D-4E27-A729-EE4F4E227A44}D:\programme\littlefighter\r-lf2\lf2.exe" = protocol=17 | dir=in | app=d:\programme\littlefighter\r-lf2\lf2.exe | 
"UDP Query User{46092021-9FD3-4FF7-9499-3FDC51DB79E8}D:\programme\age of empires 2 & the conquerors expansion - full game\empires2.exe" = protocol=17 | dir=in | app=d:\programme\age of empires 2 & the conquerors expansion - full game\empires2.exe | 
"UDP Query User{4DBA67EF-2C30-4509-855A-FB3AFFC5E676}D:\programme\littlefighter\r-lf2\lf2.exe" = protocol=17 | dir=in | app=d:\programme\littlefighter\r-lf2\lf2.exe | 
"UDP Query User{500B09DF-BFCA-4E03-B4C0-188E83C55C7F}D:\programme\age of empires 2 & the conquerors expansion - full game\empires2.exe" = protocol=17 | dir=in | app=d:\programme\age of empires 2 & the conquerors expansion - full game\empires2.exe | 
"UDP Query User{55F53A4E-6BB5-4F5A-8AD1-7351F76C7E1C}D:\programme\farmhelper\fvbot.exe" = protocol=17 | dir=in | app=d:\programme\farmhelper\fvbot.exe | 
"UDP Query User{66F6BF80-6151-419A-A782-2C0339E41BCE}J:\empire earth\empire earth\empire earth.exe" = protocol=17 | dir=in | app=j:\empire earth\empire earth\empire earth.exe | 
"UDP Query User{688EB441-A601-43ED-A2D3-9FE4F90A5B8A}C:\program files\icq7.5\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq7.5\icq.exe | 
"UDP Query User{763AA458-8716-4BF7-988C-88273D717EBF}D:\programme\age of empires 2 & the conquerors expansion - full game\age2_x1.exe" = protocol=17 | dir=in | app=d:\programme\age of empires 2 & the conquerors expansion - full game\age2_x1.exe | 
"UDP Query User{84CDF5FE-BCA6-43E5-AC1F-3F9AB32EC099}D:\xampp\mysql\bin\mysqld.exe" = protocol=17 | dir=in | app=d:\xampp\mysql\bin\mysqld.exe | 
"UDP Query User{85835CF7-1592-4801-B569-AC52FF8ABFF5}C:\program files\age of empires iii\age3y.exe" = protocol=17 | dir=in | app=c:\program files\age of empires iii\age3y.exe | 
"UDP Query User{A8C55F68-F86C-455C-A716-0815F253D865}D:\programme\age of empires 2 & the conquerors expansion - full game\age2_x1.exe" = protocol=17 | dir=in | app=d:\programme\age of empires 2 & the conquerors expansion - full game\age2_x1.exe | 
"UDP Query User{AEBB720B-5560-4D75-9B3D-F1BA7A7A2336}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe | 
"UDP Query User{B04E176B-8CAC-44B3-92D2-8069F1D16F08}C:\users\hy van\desktop\123boxl4dxers\left 4 dead\left4dead.exe" = protocol=17 | dir=in | app=c:\users\hy van\desktop\123boxl4dxers\left 4 dead\left4dead.exe | 
"UDP Query User{BB148B91-0B57-435D-9232-41A01B80294B}C:\users\hy-van\appdata\roaming\icq\application\icq7.6\icq.exe" = protocol=17 | dir=in | app=c:\users\hy-van\appdata\roaming\icq\application\icq7.6\icq.exe | 
"UDP Query User{BF42F0C6-6779-4CCF-9028-D2770FCFC367}D:\programme\valve\hl.exe" = protocol=17 | dir=in | app=d:\programme\valve\hl.exe | 
"UDP Query User{C5DA2D4F-A72E-4216-BB42-25F229CF61B4}C:\users\hy van\desktop\empire earth\empire earth\empire earth.exe" = protocol=17 | dir=in | app=c:\users\hy van\desktop\empire earth\empire earth\empire earth.exe | 
"UDP Query User{D1050F57-D74C-4E3B-A651-1A46669E2029}C:\program files\turbonote\tbnote.exe" = protocol=17 | dir=in | app=c:\program files\turbonote\tbnote.exe | 
"UDP Query User{D30F8B3D-901E-4599-B0B5-4D57B4DA6F58}C:\program files\qianhong\qianhong.exe" = protocol=17 | dir=in | app=c:\program files\qianhong\qianhong.exe | 
"UDP Query User{F913C3E6-60BB-4D7B-9543-B0224303CCD4}D:\programme\valve\hl.exe" = protocol=17 | dir=in | app=d:\programme\valve\hl.exe | 
"UDP Query User{FD671034-BAF7-4B9F-834E-8861132B57CA}C:\program files\lucasarts\star wars jk ii jedi outcast\gamedata\jk2mp.exe" = protocol=17 | dir=in | app=c:\program files\lucasarts\star wars jk ii jedi outcast\gamedata\jk2mp.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{01358C56-44F4-B8B3-8757-06F2A864A863}" = ATI Catalyst Install Manager
"{028ED9C4-25EE-4DEE-9CF4-91034BC89B18}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{07629207-FAA0-4F1A-8092-BF5085BE511F}" = Unterstützungsdateien für das Microsoft SQL Server-Setup (Englisch)
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86
"{13B792AA-C078-43A4-8A3A-8B12D629940D}" = Counter-Strike 1.6
"{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"{1598034D-7147-432C-8CA8-888E0632D124}" = NTI Backup NOW! 4.7
"{15B5294C-1D82-476C-B287-E86A0CC6D6DC}" = MySQL Workbench 5.2 CE
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2614F54E-A828-49FA-93BA-45A3F756BFAA}" = 32 Bit HP CIO Components Installer
"{26A24AE4-039D-4CA4-87B4-2F83216019FF}" = Java(TM) 6 Update 24
"{26A24AE4-039D-4CA4-87B4-2F83217000FF}" = Java(TM) 7
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{32A3A4F4-B792-11D6-A78A-00B0D0170000}" = Java(TM) SE Development Kit 7
"{3521BDBD-D453-5D9F-AA55-44B75D214629}" = Adobe Community Help
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{421EC9A7-4A58-43CD-AC9B-8FACFFB9A843}" = Microsoft Visual C# 2005 Express Edition - DEU
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{52B97218-98CB-4B8B-9283-D213C85E1AA4}" = Windows Live Anmelde-Assistent
"{5B52E1FF-BD66-4582-97BA-55C575C19504}" = Microsoft MSDN 2005 Express Edition - DEU
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{66336E9B-5482-B5FB-94F0-405874EE3541}" = Adobe Download Assistant
"{6AFCA4E1-9B78-3640-8F72-A7BF33448200}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{74A929E2-FBD8-4736-A84E-2ABBB2ABADF2}" = AVM FRITZ!DSL
"{7578ADEA-D65F-4C89-A249-B1C88B6FFC20}" = ICQ7.5
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = 
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8380C411-7CAF-41FF-9413-9FF1C7A98800}" = S4 League_EU
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{8D1E61D1-1395-4E97-997F-D002DB3A5074}" = OpenOffice.org 3.2
"{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update
"{9158FF30-78D7-40EF-B83E-451AC5334640}" = Adobe Photoshop CS5.1
"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9CB59E92-98BB-4BE9-9CA2-66FD929EB57A}" = SafeGuard® PrivateCrypto 2.31.1 - Unlicensed Version
"{A5633652-3795-4829-BB0B-644F0279E279}" = Acer eDataSecurity Management
"{A78FE97A-C0C8-49CE-89D0-EDD524A17392}" = PDF Settings CS5
"{A8CF5C37-8EC5-4C33-BB4A-87F468B77D45}" = Age of Empires III
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5
"{AB6097D9-D722-4987-BD9E-A076E2848EE2}" = Acer Empowering Technology
"{AC76BA86-7AD7-1031-7B44-A81300000003}" = Adobe Reader 8.1.4 - Deutsch
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{AED2DD42-9853-407E-A6BC-8A1D6B715909}" = Windows Live Messenger
"{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Click to Call with Skype
"{B6D38690-755E-4F40-A35A-23F8BC2B86AC}" = Microsoft_VC90_MFCLOC_x86
"{BBAAAD82-6242-420F-86D4-BD72BB5E6C86}" = Tools für Microsoft SQL Server 2005 Express Edition
"{C43C1415-3DFC-4089-9A32-0BECF28A6046}" = Age of Empires III - The Asian Dynasties
"{C4D738F7-996A-4C81-B8FA-C4E26D767E41}" = Windows Live Mail
"{CAFA57E8-8927-4912-AFCF-B0AA3837E989}" = Windows Live Essentials
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe  1.4.142.1
"{CE65A9A0-9686-45C6-9098-3C9543A412F0}" = Acer eSettings Management
"{D06737BC-9887-46E0-A203-29D7FE756019}" = ClassPad Manager v3 Professional
"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
"{D2041A37-5FEC-49F0-AE5C-3F2FFDFAA4F4}" = Windows Live Call
"{D462BF9E-0C35-4705-BF9B-3DF9F3816643}" = Acer ePerformance Management
"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
"{DDD5104F-1C44-49EB-9E6B-29EC5D27658B}" = HP Update
"{E503B4BF-F7BB-3D5F-8BC8-F694B1CFF942}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
"{EB75DE50-5754-4F6F-875D-126EDF8E4CB3}" = HPSSupply
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F46E21DF-5BE1-48E2-8390-5EEA8B25E36A}" = Microsoft SQL Server Native Client
"{F8013DD1-574B-4921-A473-88A2F7A34D16}" = Paragon Festplatten Manager 10 - Drive Backup
"{FDE96E86-7780-431C-92F7-679C6A7CEC51}" = Microsoft SQL Server VSS Writer
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Age of Empires 2.0" = Microsoft Age of Empires II
"Amazon MP3-Downloader" = Amazon MP3-Downloader 1.0.9
"AoA Audio Extractor_is1" = AoA Audio Extractor 1.0
"AutoItv3" = AutoIt v3.3.0.0
"Avira AntiVir Desktop" = Avira Free Antivirus
"AVMFBox" = AVM FRITZ!Box Dokumentation
"AVMFBoxPrinter" = AVM FRITZ!Box Druckeranschluss
"AVMWLANCLI" = AVM FRITZ!WLAN
"BlueJ_is1" = BlueJ 3.0.5
"Canon Advanced Printing Technology" = Canon CAPT-Drucker
"CCleaner" = CCleaner (remove only)
"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
"com.adobe.downloadassistant.AdobeDownloadAssistant" = Adobe Download Assistant
"Counter-Strike: Source v17" = Counter-Strike: Source v17
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DivX Setup.divx.com" = DivX-Setup
"File Splitter and Joiner_is1" = File Splitter and Joiner (FFSJ v3.3)
"FileZilla Client" = FileZilla Client 3.5.1
"Free Download Manager_is1" = Free Download Manager 3.0
"Free YouTube Download_is1" = Free YouTube Download 2.2
"GAMEFORGE Nostale(DE)_is1" = Nostale Online DE (Remove)
"Google Chrome" = Google Chrome
"HOXChess" = HOXChess 1.0.0
"InstallShield_{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"InstallShield_{1598034D-7147-432C-8CA8-888E0632D124}" = NTI Backup NOW! 4.7
"InstallShield_{A8CF5C37-8EC5-4C33-BB4A-87F468B77D45}" = Age of Empires III
"InstallShield_{C43C1415-3DFC-4089-9A32-0BECF28A6046}" = Age of Empires III - The Asian Dynasties
"Little Fighter 2" = Little Fighter 2 version 2.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware Version 1.51.2.1300
"Messenger Plus! Live" = Messenger Plus! Live
"MessengerDiscovery 2_is1" = MessengerDiscovery 2.0.44
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft MSDN 2005 Express Edition - DEU" = Microsoft MSDN 2005 Express Edition - DEU
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Microsoft Visual C# 2005 Express Edition - DEU" = Microsoft Visual C# 2005 Express Edition - DEU
"Mozilla Firefox 6.0.1 (x86 de)" = Mozilla Firefox 6.0.1 (x86 de)
"Notepad++" = Notepad++
"NVIDIA Drivers" = NVIDIA Drivers
"TeamViewer 6" = TeamViewer 6
"Uninstall_is1" = Uninstall 1.0.0.1
"VLC media player" = VLC media player 1.0.5
"web2date" = DATA BECKER web to date 5
"WinGimp-2.0_is1" = GIMP 2.6.8
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR
"Yahoo! Messenger" = Yahoo! Messenger
 
========== Last 10 Event Log Errors ==========
 
Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!
 
< End of report >
         

--- --- ---

Hi,

Fix für OTL:

• Doppelklick auf die OTL.exe, um das Programm auszuführen.

• Vista/Win7-User bitte per Rechtsklick und "Ausführen als Administrator" starten.

• Kopiere den Inhalt der folgenden Codebox komplett in die OTL-Box unter "Custom Scan/Fixes"

[code]

:OTL
[2011.11.04 18:09:44 | 000,000,000 | ---D | M] (Java String Helper) -- C:\USERS\HY-VAN\APPDATA\ROAMING\5038
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
O4 - HKCU..\Run: [2F7ZUJ7G2IWWUB5WQXTNWQFN] C:\SystemData\217FA966C5A.exe /q File not found

:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = dword:0x00

:Commands
[emptytemp]
[EMPTYFLASH]
[Reboot]

TDSS-Killer
Download und Anweisung unter: Wie werden Schadprogramme der Familie Rootkit.Win32.TDSS bekämpft?
Entpacke alle Dateien in einem eigenen Verzeichnis (z. B: C:\TDSS)!
Aufruf über den Explorer duch Doppelklick auf die TDSSKiller.exe.
Nach dem Start erscheint ein Fenster, dort dann "Start Scan".
Wenn der Scan fertig ist bitte "Report" anwählen. Es öffnet sich ein Fenster, den Text abkopieren und hier posten...

chris

Hab das mit OTL durchgeführt und Pc neu gestartet.
TDDSKILLER liefert keine Ergebnisse, aber es kommt immer noch die Meldung von RunDLL.

Lg

Hi,

der Fix hat nicht funktioniert, die Sachen sind noch da...
(da fehlte der Ende TAG, mein Fehler)...
Oder Du hast das falsche OTL-Log gepostet...

Scan mit SystemLook

Lade SystemLook von einem der folgenden Links und speichere das Tool auf dem Desktop.
http://jpshortstuff.247fixes.com/SystemLook.exe - http://images.malwareremoval.com/jps...SystemLook.exe

• Doppelklick auf die SystemLook.exe, um das Tool zu starten.

• Vista-User/Win7 mit Rechtsklick und als Administrator starten.

• Kopiere den Inhalt der folgenden Codebox in das Textfeld des Tools:

Code: Alles auswählenAufklappen

ATTFilter

:regfind
WPBT0.DLL
         

• Klicke nun auf den Button Look, um den Scan zu starten.

Wenn der Suchlauf beendet ist, wird sich Dein Editor mit den Ergebnissen öffnen, diese hier in den Thread posten.
Die Ergebnisse werden auf dem Desktop als SystemLook.txt gespeichert.

Combofix
Lade Combo Fix von http://download.bleepingcomputer.com/sUBs/ComboFix.exe und speichert es auf den Desktop.
Antivierenlösung komplett auschalten und zwar so, dass sie sich auch nach einem Reboot NICHT einschaltet!

Achtung: In einigen wenigen Fällen kann es vorkommen, das der Rechner nicht mehr booten kann und Neuaufgesetzt werden muß!

Alle Fenster schliessen und combofix.exe starten und bestätige die folgende Abfrage mit 1 und drücke Enter.

Der Scan mit Combofix kann einige Zeit in Anspruch nehmen, also habe etwas Geduld. Während des Scans bitte nichts am Rechner unternehmen
Es kann möglich sein, dass der Rechner zwischendurch neu gestartet wird.
Nach Scanende wird ein Report (ComboFix.txt) angezeigt, den bitte kopieren und in deinem Thread einfuegen.

chris

Hi,

ich hab das OTL bis Reboot kopiert.
Fehlte dennoch was? Der Pc ist neu gestartet nachdem ich das gemacht habe.

Ich hatte gestern wieder einen Virus, hab einen erneuten Scan mit Malwarebytes' Anti-Malware gemacht.
Hier nochaml der Log:

Zitat:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122104

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.19088

22.12.2011 18:50:59
mbam-log-2011-12-22 (18-50-50).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 478460
Time elapsed: 1 hour(s), 52 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{C689C99E-3A8C-4c87-A79C-C80DC9C81632} (Trojan.Banker) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C689C99E-3A8C-4C87-A79C-C80DC9C81632} (Trojan.Banker) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{C689C99E-3A8C-4C87-A79C-C80DC9C81632} (Trojan.Banker) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C689C99E-3A8C-4C87-A79C-C80DC9C81632} (Trojan.Banker) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{E4653613-9D7F-24B8-6FD2-EA8B7F513320} (Trojan.ZbotR.Gen) -> Value: {E4653613-9D7F-24B8-6FD2-EA8B7F513320} -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SystemLook liefert keine Ergebnisse:

Zitat:

SystemLook 30.07.11 by jpshortstuff
Log created at 18:54 on 22/12/2011 by Hy Van
Administrator - Elevation successful

========== regfind ==========

Searching for "WPBT0.DLL"
No data found.

-= EOF =-

Combofix führ ich morgen durch.
Ich hab Avira, ich denke ich weiß wie ich es ausstelle, ohne, dass es beim Reboot wieder aktiv ist.
Was ist mit Malwarebytes' Anti-Malware?

Lg

Hi,

lass MAM alles beseitigen (MAM=MalewareAntimalwarebytes) lassen (die Frage ist wieso die Reg.-Einträge erst jetzt gefunden werden).

Mein Fehler mit dem Code-Block, habe das Ende Tag-vergessen...

Lasse unbedingt combofix laufen, ev. fährt da noch ein Rootkit durch die Gegend.
Falls Du Homebanking machst, Konto beobachten und alle Passwörter ändern...

chris