| |
| |||||||
Log-Analyse und Auswertung: Windows Vista - Infektion mit Sirefef, Sirefef.ABWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML |
 |
01.10.2012, 09:45
| #1 |
 |  Windows Vista - Infektion mit Sirefef, Sirefef.AB Nachdem wir am anderen Ende der Welt angekommen sind, wollten wir nach 4 Wochen ohne Netzverbindung die nötigen updates ziehen, und meine Partnerin hat dabei wohl das "Flash-update" mit adminrechten versorgt. Alle Scanner haben sofort alarm geschlagen, da war es aber auch schon zu spät. Auch wenn momentan noch nichts wirklich schlimm aussieht, hat es mich nun hier her getrieben. MSE läuft, das Sicherheitscenter incl. Firewall (dienst) ist aber aus und beide lassen sich nicht mehr starten (Der Sicherheitsdienst konnte nicht gestartet werden). Backup ist leider etwas zu alt, so das ich gern das System wieder hin bekommen würde. Bisher habe ich die Anleitung befolgt, OTL, Gmer und Malwarebytes logs sind im Anhang. OTL bricht mit einem Fehler ab, die aber meiner Meinung nach nichts mit dem Befall zu tun hat (siehe Bild). Ich kann keine Datei mit diesem Datum finden, aber wenn ich OTL ohne Datumseinschränkung starte, läuft es durch. Daher ist das OTL Log ziemlich Lang und seperat im Anhang :/ Stand jetzt: Malwarebytes hat beim ersten Scan (siehe Log) einiges gefunden. Dies wurde leider bereits "bereinigt". Sorry dafür - ein aktueller Scan findet nix mehr, aber Sicherheitscenter und FW bleiben defekt. |
|
02.10.2012, 19:01
| #2 |
| /// Malwareteam   | Windows Vista - Infektion mit Sirefef, Sirefef.AB Ich habe dein Thema in Arbeit und melde mich so schnell als möglich mit weiteren Anweisungen. Bitte beachte, dass alle meine Antworten zuerst von einem Ausbilder freigegeben werden müssen, bevor ich diese hier posten darf. Dies garantiert, dass Du Hilfe von einem ausgebildeten Helfer bekommst. Ich bedanke mich für deine Geduld 
__________________ |
|
03.10.2012, 12:21
| #3 |
| /// Malwareteam | Windows Vista - Infektion mit Sirefef, Sirefef.AB Hallo und
__________________Ich bin Christoph und möchte dir bei deinem Problem helfen. Eine Bereinigung ist mitunter mit viel Arbeit für Dich verbunden.
Hinweis: Ich kann Dir niemals eine Garantie geben, dass ich auch alles finde. Eine Formatierung ist meist der schnellere und immer der sicherste Weg. Solltest Du Dich für eine Bereinigung entscheiden, arbeite solange mit, bis dir jemand vom Team sagt, dass dein PC clean ist. Vista und Win7 User Alle Tools mit Rechtsklick "als Administrator ausführen" starten. Schritt 1 Ich habe gesehen, dass auf dem Rechner eine Doktorarbeit und Bewerbungsunterlagen lagern. Du solltest auf jeden Fall ein Backup dieser und weiterer sensibler Daten anlegen, bevor du fortfährst! Schritt 2 Combofix sollte ausschließlich ausgeführt werden, wenn dies von einem Teammitglied angewiesen wurde!Downloade dir bitte Combofix vom folgenden Downloadspiegel Link 1 WICHTIG - Speichere Combofix auf deinem Desktop
Wenn Combofix fertig ist, wird es eine Logfile erstellen. Bitte poste die C:\Combofix.txt in deiner nächsten Antwort. Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten starte den Rechner einfach neu. Dies sollte das Problem beheben. Schritt 3 Wie läuft der Rechner? Startet das Sicherheitscenter usw. wieder? Bitte poste in deiner nächsten Antwort
__________________ |
|
04.10.2012, 00:15
| #4 |
| | Windows Vista - Infektion mit Sirefef, Sirefef.AB Ein Backup habe ich gemacht, dazu musste ich leider Acronis installieren. Dafür gibts jetzt eine volles BU. Combofix ist durchgelaufen. Beim start hat es gemault, weil Avira Antivir noch aktiv ist. Allerdings ist AntiVir schon länger deinstalliert. Ich habe noch mal alles durchgeschaut: - Programme und Funktionen = kein AV - Prozesse aller User = Kein AV - Dienste = Kein AV Also war ich mutig und hab Combofix dennoch laufen lassen. Lief wie gesagt durch und hat auch das Log angelegt. Aber dann war ich wohl etwas zu eilig und wollte die Kiste neustarten, bevor der letzte Boot richtig durch war. Dabei ist der Rechner abgestürzt und hängt jetzt vor dem Login beim cursor on black fest. Der Taskmanager lässt sich nicht öffnen und auch der abgesicherte Modus hilft nicht weiter. Wahrscheinlich stelle ich einfach das BU wieder her und probiere es nochmal, ohne am Ende in Hektik zu verfallen.  Das wird dann aber wieder einene Moment dauern, ich melde mich wenn es so weit ist. Ok, schlechte Nachricht: Es ist der Einsatz von Combofix der das System in einen un-bootbaren zustand bringt. Ich habe:
Ich kann das System jederzeit wieder auf den Anfangsstand zurücksetzten. Was ich jetzt in der Zwischenzeit machen werde, ist ein inplace upgrade von Vista starten, um mir die Zeit zu vertreiben. Wenn das auch nicht klappt, setzte ich zurück und warte auf neue Instruktionen. Btw: Ich konnte mittels boot-usb stick die Combofix.txt retten. Bitteschön: Code:
ATTFilter ComboFix 12-10-03.03 - Nina 04.10.2012 16:14:52.1.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.49.1031.18.2046.1625 [GMT 13:00]
ausgeführt von:: c:\users\Nina\Desktop\ComboFix.exe
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Neuer Wiederherstellungspunkt wurde erstellt
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\msvcr71.dll
c:\windows\system32\pthreadVC.dll
.
.
((((((((((((((((((((((( Dateien erstellt von 2012-09-04 bis 2012-10-04 ))))))))))))))))))))))))))))))
.
.
2012-10-04 03:21 . 2012-10-04 03:21 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2012-10-04 03:21 . 2012-10-04 03:21 -------- d-----w- c:\users\Florian\AppData\Local\temp
2012-10-04 03:21 . 2012-10-04 03:22 -------- d-----w- c:\users\Nina\AppData\Local\temp
2012-10-04 03:21 . 2012-10-04 03:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-10-02 22:10 . 2012-10-02 22:10 234752 ----a-w- c:\windows\system32\drivers\afcdp.sys
2012-10-02 22:10 . 2012-10-02 22:10 775232 ----a-w- c:\windows\system32\drivers\tdrpman.sys
2012-10-02 22:10 . 2012-10-02 22:10 614592 ----a-w- c:\windows\system32\drivers\timntr.sys
2012-10-02 22:09 . 2012-10-02 22:09 126880 ----a-w- c:\windows\system32\drivers\vididr.sys
2012-10-02 22:09 . 2012-10-02 22:09 86496 ----a-w- c:\windows\system32\drivers\vsflt67.sys
2012-10-02 22:09 . 2012-10-02 22:09 177600 ----a-w- c:\windows\system32\drivers\snapman.sys
2012-10-02 22:09 . 2012-10-02 22:09 80416 ----a-w- c:\windows\system32\drivers\fltsrv.sys
2012-10-02 22:08 . 2012-10-02 22:08 -------- d-----w- c:\program files\Acronis
2012-10-02 22:07 . 2012-10-02 22:10 -------- d-----w- c:\program files\Common Files\Acronis
2012-10-02 21:33 . 2012-09-18 11:59 6980552 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EAAD08E7-3183-4182-BF59-A521D2D428E0}\mpengine.dll
2012-10-02 12:08 . 2012-10-02 21:24 -------- d-----w- c:\programdata\NVIDIA
2012-10-02 11:33 . 2012-10-02 11:33 181064 ----a-w- c:\windows\PSEXESVC.EXE
2012-10-02 11:32 . 2010-04-26 22:04 381816 ----a-w- c:\windows\system32\PsExec.exe
2012-10-02 05:03 . 2012-10-02 12:00 -------- d-----w- c:\users\Nina\AppData\Local\ElevatedDiagnostics
2012-10-01 20:25 . 2012-09-18 11:59 6980552 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-09-30 09:04 . 2012-09-30 09:04 -------- d-----w- c:\users\Nina\AppData\Roaming\Malwarebytes
2012-09-30 09:02 . 2012-09-30 09:02 -------- d-----w- c:\programdata\Malwarebytes
2012-09-30 09:02 . 2012-09-07 04:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-30 09:02 . 2012-09-30 09:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-30 07:11 . 2012-09-30 22:08 -------- d-----w- c:\program files\Common Files\Steam
2012-09-30 07:11 . 2012-10-01 08:12 -------- d-----w- c:\program files\Steam
2012-09-30 06:08 . 2012-02-09 01:17 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-09-30 06:08 . 2012-02-09 01:17 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C0E24A38-5BFC-4101-A546-59D6C3DAD3BC}\gapaengine.dll
2012-09-30 05:58 . 2012-10-02 11:43 -------- d-----w- c:\program files\Microsoft Security Client
2012-09-30 05:33 . 2012-09-30 22:03 -------- d-----w- c:\users\Nina\AppData\Roaming\Haewevv
2012-09-30 05:33 . 2012-09-30 05:36 -------- d-----w- c:\users\Nina\AppData\Roaming\Izu
2012-09-29 09:33 . 2012-09-18 22:59 6980552 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9C86BF41-E1EC-4DD2-97A3-BA4B5585189C}\mpengine.dll
2012-09-27 03:36 . 2012-09-27 03:36 -------- d-----w- c:\program files\Common Files\Skype
2012-09-27 02:03 . 2012-09-27 02:03 -------- d-----w- c:\program files\Microsoft
2012-09-19 10:42 . 2012-09-19 10:42 -------- d-----w- c:\users\Florian\AppData\Roaming\dvdcss
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-01 05:55 . 2007-11-06 11:21 45056 ----a-w- c:\windows\system32\acovcnt.exe
2012-08-30 09:03 . 2012-08-30 09:03 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-30 09:03 . 2012-03-20 07:44 99272 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-07-22 11:47 . 2011-03-28 16:36 19736 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-25 4444160]
"Skytel"="Skytel.exe" [2007-04-13 1822720]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 61440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-01 857648]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-01 13789728]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2009-10-26 1458176]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2012-06-28 5955088]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2012-06-28 1171336]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2012-06-28 403144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Camera ScreenSaver]
2007-11-06 11:27 37232 ----a-w- c:\windows\ASScrProlog.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Screen Saver Protector]
2007-11-06 11:27 33136 ----a-w- c:\windows\ASScrPro.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMReminderService]
2008-11-14 02:35 37656 ----a-w- c:\program files\Mindjet\MindManager 8\MmReminderService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2012-03-08 16:50 4280184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerForPhone]
2007-06-26 18:10 778240 ----a-w- c:\program files\PowerForPhone\PowerForPhone.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-07-13 01:33 17418928 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2009-10-26 01:46 1458176 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2007-06-13 06:16 528384 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2012-09-30 07:16 1353080 ----a-w- c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 afcdpsrv;Acronis Nonstop Backup Service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [x]
R3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys [x]
.
.
--- Andere Dienste/Treiber im Speicher ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Inhalt des "geplante Tasks" Ordners
.
2012-10-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-15 21:29]
.
2012-10-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-15 21:29]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.t-online.de/
uInternet Settings,ProxyOverride = *.local
IE: &Citavi Picker... - file://c:\program files\Internet Explorer\PLUGINS\Citavi Picker\ShowContextMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: t-online.de\email
TCP: DhcpNameServer = 192.168.1.1
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
ShellIconOverlayIdentifiers- - (no file)
ShellIconOverlayIdentifiers- - (no file)
ShellIconOverlayIdentifiers- - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2012-10-04 16:22
Windows 6.0.6002 Service Pack 2 NTFS
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
Scanne versteckte Dateien...
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
.
- - - - - - - > 'Explorer.exe'(692)
c:\program files\Acronis\TrueImageHome\tishell.dll
c:\program files\Acronis\TrueImageHome\timounter.dll
c:\program files\Acronis\TrueImageHome\ti_managers_proxy_stub.dll
.
Zeit der Fertigstellung: 2012-10-04 16:24:47
ComboFix-quarantined-files.txt 2012-10-04 03:24
.
Vor Suchlauf: 8 Verzeichnis(se), 17.589.530.624 Bytes frei
Nach Suchlauf: 13 Verzeichnis(se), 21.100.048.384 Bytes frei
.
- - End Of File - - 341A9CB73539DABB663E6D7559AE0AFC
 |
|
04.10.2012, 14:04
| #5 |
| /// Malwareteam | Windows Vista - Infektion mit Sirefef, Sirefef.AB Hi Ok, setzte bitte wieder auf den Zeitpunkt vor Combofix zurück. Dann, mache Folgendes: Downloade dir bitte Farbar Recovery Scan Tool 32-Bit und speichere diese auf einen USB Stick. Schließe den USB Stick an das infizierte System an. Du musst das System nun in die System Reparatur Option booten. Über den Boot Manager
Mit Windows CD/DVD
Wähle in den Reparaturoptionen Eingabeaufforderung
__________________ Keep Jazzing!  DerJazzer Imperare sibi maximum imperium est. ©Seneca Wenn du uns unterstützen möchtest | http://www.anaesthesist-werden.de/ |
|
04.10.2012, 21:45
| #6 |
| | Windows Vista - Infektion mit Sirefef, Sirefef.AB War nicht so einfach. Da es wohl so eine schreckliche ASUS OEM Version ist, gibt es keine Reperaturoption im Bootmenu. Ich kann nur seperat von der Asus Partion booten und C: in den Ausgangszustand wiederherstellen. Habe jetzt eine Vista Home Premium deutsch Installation gefunden, mit der kam ich auch in den Reperatur-"modus". Code:
ATTFilter OTL Extras logfile created on: 01.10.2012 12:46:25 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Nina\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
2,00 Gb Total Physical Memory | 1,06 Gb Available Physical Memory | 52,84% Memory free
4,23 Gb Paging File | 2,87 Gb Available in Paging File | 67,81% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 116,44 Gb Total Space | 22,37 Gb Free Space | 19,21% Space Free | Partition Type: NTFS
Drive D: | 109,60 Gb Total Space | 31,06 Gb Free Space | 28,34% Space Free | Partition Type: NTFS
Drive F: | 967,22 Mb Total Space | 954,89 Mb Free Space | 98,73% Space Free | Partition Type: FAT
Computer Name: NINA-PC | User Name: Nina | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L"
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0
"UacDisableNotify" = 1
"InternetSettingsDisableNotify" = 1
"AutoUpdateDisableNotify" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found
========== Firewall Settings ==========
========== Authorized Applications List ==========
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0F842B77-56EA-4AAF-8295-81A022350B5E}" = Microsoft Security Client
"{139B0FFA-187E-4BA1-BCA6-6B56B2B6AB8C}" = ATK Media
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{1BA1DBDC-5431-46FD-A66F-A17EB1C439EE}" = Windows Live Messenger
"{1DBD1F12-ED93-49C0-A7CC-56CBDE488158}" = LifeFrame2
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F698102-5739-441E-96F0-74F4EA540F06}" = Attansic Ethernet Utility
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{25BEC3AB-5CD4-481D-9143-215C1BBB189E}" = Sony Ericsson PC Suite
"{32E4F0D2-C135-475E-A841-1D59A0D22989}" = Sid Meier's Civilization 4 - Beyond the Sword
"{37B33B16-2535-49E7-8990-32668708A0A3}" = Windows Live UX Platform Language Pack
"{3912D529-02BC-4CA8-B5ED-0D0C20EB6003}" = ATK Hotkey
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{4377F918-E6C9-4ECA-A7F5-754B310B7ED8}" = Sid Meier's Civilization 4
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
"{5C1DB4ED-E9B4-402D-BB14-D75D97D6C1A6}" = ATKOSD2
"{5DD4FCBD-A3C1-4155-9E17-4161C70AAABA}" = Segoe UI
"{626C034B-50B8-47BD-AF93-EEFD0FA78FF4}" = Character Builder
"{6324A1EF-CEF4-43E3-8BCD-9EF3F67317FD}" = NB Probe
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{81063354-9060-42B2-A000-1EBE96778AA9}" = iTunes
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{83F73CB1-7705-49D1-9852-84D839CA2A45}" = Wireless Console 2
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8C6BB412-D3A8-4AAE-A01B-35B681789D68}" = mHelp
"{8CFEBE9C-F29F-4C49-80E0-7106970F8734}" = Power4Gear eXtreme
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007
"{90120000-0015-0407-0000-0000000FF1CE}_PROHYBRIDR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0015-040C-0000-0000000FF1CE}" = Microsoft Office Access MUI (French) 2007
"{90120000-0015-040C-0000-0000000FF1CE}_PROHYBRIDR_{CF3C20A6-47B7-48DA-95C1-6FBB5A439AF8}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0015-0410-0000-0000000FF1CE}" = Microsoft Office Access MUI (Italian) 2007
"{90120000-0015-0410-0000-0000000FF1CE}_PROHYBRIDR_{7F40286D-09A7-4DC0-A2A4-AA18D026D369}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0015-0413-0000-0000000FF1CE}" = Microsoft Office Access MUI (Dutch) 2007
"{90120000-0015-0413-0000-0000000FF1CE}_PROHYBRIDR_{26257879-B20D-4D30-A429-B387A4890929}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0407-0000-0000000FF1CE}_PROHYBRIDR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-040C-0000-0000000FF1CE}" = Microsoft Office Excel MUI (French) 2007
"{90120000-0016-040C-0000-0000000FF1CE}_PROHYBRIDR_{CF3C20A6-47B7-48DA-95C1-6FBB5A439AF8}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0410-0000-0000000FF1CE}" = Microsoft Office Excel MUI (Italian) 2007
"{90120000-0016-0410-0000-0000000FF1CE}_PROHYBRIDR_{7F40286D-09A7-4DC0-A2A4-AA18D026D369}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0413-0000-0000000FF1CE}" = Microsoft Office Excel MUI (Dutch) 2007
"{90120000-0016-0413-0000-0000000FF1CE}_PROHYBRIDR_{26257879-B20D-4D30-A429-B387A4890929}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0407-0000-0000000FF1CE}_PROHYBRIDR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-040C-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (French) 2007
"{90120000-0018-040C-0000-0000000FF1CE}_PROHYBRIDR_{CF3C20A6-47B7-48DA-95C1-6FBB5A439AF8}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0410-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (Italian) 2007
"{90120000-0018-0410-0000-0000000FF1CE}_PROHYBRIDR_{7F40286D-09A7-4DC0-A2A4-AA18D026D369}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0413-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (Dutch) 2007
"{90120000-0018-0413-0000-0000000FF1CE}_PROHYBRIDR_{26257879-B20D-4D30-A429-B387A4890929}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2007
"{90120000-0019-0407-0000-0000000FF1CE}_PROHYBRIDR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-040C-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (French) 2007
"{90120000-0019-040C-0000-0000000FF1CE}_PROHYBRIDR_{CF3C20A6-47B7-48DA-95C1-6FBB5A439AF8}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-0410-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (Italian) 2007
"{90120000-0019-0410-0000-0000000FF1CE}_PROHYBRIDR_{7F40286D-09A7-4DC0-A2A4-AA18D026D369}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-0413-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (Dutch) 2007
"{90120000-0019-0413-0000-0000000FF1CE}_PROHYBRIDR_{26257879-B20D-4D30-A429-B387A4890929}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007
"{90120000-001A-0407-0000-0000000FF1CE}_PROHYBRIDR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-040C-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (French) 2007
"{90120000-001A-040C-0000-0000000FF1CE}_PROHYBRIDR_{CF3C20A6-47B7-48DA-95C1-6FBB5A439AF8}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0410-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (Italian) 2007
"{90120000-001A-0410-0000-0000000FF1CE}_PROHYBRIDR_{7F40286D-09A7-4DC0-A2A4-AA18D026D369}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0413-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (Dutch) 2007
"{90120000-001A-0413-0000-0000000FF1CE}_PROHYBRIDR_{26257879-B20D-4D30-A429-B387A4890929}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0407-0000-0000000FF1CE}_PROHYBRIDR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-040C-0000-0000000FF1CE}" = Microsoft Office Word MUI (French) 2007
"{90120000-001B-040C-0000-0000000FF1CE}_PROHYBRIDR_{CF3C20A6-47B7-48DA-95C1-6FBB5A439AF8}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0410-0000-0000000FF1CE}" = Microsoft Office Word MUI (Italian) 2007
"{90120000-001B-0410-0000-0000000FF1CE}_PROHYBRIDR_{7F40286D-09A7-4DC0-A2A4-AA18D026D369}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0413-0000-0000000FF1CE}" = Microsoft Office Word MUI (Dutch) 2007
"{90120000-001B-0413-0000-0000000FF1CE}_PROHYBRIDR_{26257879-B20D-4D30-A429-B387A4890929}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0401-0000-0000000FF1CE}" = Microsoft Office Proof (Arabic) 2007
"{90120000-001F-0401-0000-0000000FF1CE}_PROHYBRIDR_{3E8EA473-ECCE-405F-A9CA-59446AEADD3A}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_HOMESTUDENTR_{928D7B99-2BEA-49F9-83B8-20FA57860643}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0407-0000-0000000FF1CE}_PROHYBRIDR_{928D7B99-2BEA-49F9-83B8-20FA57860643}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}_PROHYBRIDR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}_PROHYBRIDR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_HOMESTUDENTR_{A23BFC95-4A73-410F-9248-4C2B48E38C49}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0410-0000-0000000FF1CE}_PROHYBRIDR_{A23BFC95-4A73-410F-9248-4C2B48E38C49}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0413-0000-0000000FF1CE}" = Microsoft Office Proof (Dutch) 2007
"{90120000-001F-0413-0000-0000000FF1CE}_PROHYBRIDR_{2C95E7EE-FEA7-4B3A-A6E5-DF90A88B816A}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROHYBRIDR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-002C-040C-0000-0000000FF1CE}" = Microsoft Office Proofing (French) 2007
"{90120000-002C-0410-0000-0000000FF1CE}" = Microsoft Office Proofing (Italian) 2007
"{90120000-002C-0413-0000-0000000FF1CE}" = Microsoft Office Proofing (Dutch) 2007
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_HOMESTUDENTR_{A6353E8F-5B8D-47CC-8737-DFF032ED3973}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-0407-0000-0000000FF1CE}_PROHYBRIDR_{A6353E8F-5B8D-47CC-8737-DFF032ED3973}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROHYBRIDR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-040C-0000-0000000FF1CE}" = Microsoft Office Shared MUI (French) 2007
"{90120000-006E-040C-0000-0000000FF1CE}_PROHYBRIDR_{8283FD64-6A3B-4104-9E12-7CA25EF29A1A}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-0410-0000-0000000FF1CE}" = Microsoft Office Shared MUI (Italian) 2007
"{90120000-006E-0410-0000-0000000FF1CE}_PROHYBRIDR_{C0C7E58F-D0A1-4102-855B-0B7AA2E8F1C1}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-0413-0000-0000000FF1CE}" = Microsoft Office Shared MUI (Dutch) 2007
"{90120000-006E-0413-0000-0000000FF1CE}_PROHYBRIDR_{1D12BC91-360E-424C-97C4-813651313660}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
"{90120000-00A1-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROHYBRIDR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROHYBRIDR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel(R) Matrix Storage Manager
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A203F249-2267-409A-A862-92D2965CBFCA}" = Brother HL-2035
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.4
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Toolbars
"{C0FC1C14-4824-4A73-87A6-9E888C9C3102}" = ASUS Splendid Video Enhancement Technology
"{C2AB7DC4-489E-4BE9-887A-52262FBADBE0}" = Windows Live Photo Common
"{C60BA916-9E44-4DA4-B11A-9E27B7624EF5}" = Sony Ericsson Drivers
"{C6150D8A-86ED-41D3-87BB-F3BB51B0B77F}" = Windows Live ID Sign-in Assistant
"{C92E7DF1-624A-4D95-A4C4-18CB491B44A4}" = Sony Ericsson Device Data
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe 1.4.142.1
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}" = Sid Meier's Civilization 4
"{D3D54F3E-C5C3-443D-978F-87A72E5616E8}" = ATK Generic Function Service
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{D6BF6477-8369-489F-8DE6-3731F4B88560}" = Sony Ericsson PC Suite
"{D7FD752A-DDB9-4685-83FD-E20C7C59BD84}" = Mindjet MindManager 8
"{DE10AB76-4756-4913-BE25-55D1C1051F9A}" = WinFlash
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E28B1E6F-E0AA-4228-AB89-DB4A0C89D426}" = AVerTV
"{E5B21F11-6933-4E0B-A25C-7963E3C07D11}" = Windows Live Messenger
"{E657B243-9AD4-4ECC-BE81-4CCF8D667FD0}" = ASUS Live Update
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F20C1251-1D0A-4944-B2AE-678581B33B19}" = Neverwinter Nights 2
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{F5D7FAB5-A1FD-4DD3-983E-4155B09D7102}" = mCore
"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{F95E4EE0-0C6E-4273-B6B9-91FD6F071D76}" = Windows Live Essentials
"{FC3D290D-79BE-44B7-ABF9-FDD110925930}" = PowerForPhone
"{FE0646A7-19D0-41B4-A2BB-2C35D644270D}" = Windows Live OneCare safety scanner
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Asus_Camera_ScreenSaver" = Asus_Camera_ScreenSaver
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.13 (Unicode)
"AVerMedia A850 USB DMB-TH" = AVerMedia A850 USB DMB-TH 1.0.0.30
"Citavi" = Citavi 2.5
"Free YouTube to Mp3 Converter_is1" = Free YouTube to Mp3 Converter version 3.1
"Google Chrome Frame" = Google Chrome Frame
"Guild Wars" = GUILD WARS
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{E28B1E6F-E0AA-4228-AB89-DB4A0C89D426}" = AVerTV
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.65.0.1400
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Microsoft Security Client" = Microsoft Security Essentials
"NVIDIA Drivers" = NVIDIA Drivers
"PDF-XChange 3_is1" = PDF-XChange 3
"PROHYBRIDR" = 2007 Microsoft Office system
"ProInst" = Intel(R) PROSet/Wireless Software
"ScummVM_is1" = ScummVM Git
"Simple PDF Merger_is1" = Simple PDF Merger 1.0
"SMSERIAL" = Motorola SM56 Speakerphone Modem
"Steam App 8930" = Sid Meier's Civilization V
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Uninstall_is1" = Uninstall 1.0.0.1
"USB 2.0 1.3M UVC WebCam" = USB 2.0 1.3M UVC WebCam
"VLC media player" = VideoLAN VLC media player 0.8.6d
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"WinLiveSuite" = Windows Live Essentials
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 30.09.2012 03:08:53 | Computer Name = Nina-PC | Source = Application Error | ID = 1000
Description = Fehlerhafte Anwendung svchost.exe, Version 6.0.6001.18000, Zeitstempel
0x47918b89, fehlerhaftes Modul unknown, Version 0.0.0.0, Zeitstempel 0x00000000,
Ausnahmecode 0xc0000005, Fehleroffset 0x00000000, Prozess-ID 0x1560, Anwendungsstartzeit
01cd9eda7333fe4f.
Error - 30.09.2012 03:09:59 | Computer Name = Nina-PC | Source = Application Error | ID = 1000
Description = Fehlerhafte Anwendung svchost.exe, Version 6.0.6001.18000, Zeitstempel
0x47918b89, fehlerhaftes Modul unknown, Version 0.0.0.0, Zeitstempel 0x00000000,
Ausnahmecode 0xc0000005, Fehleroffset 0x00000000, Prozess-ID 0x1440, Anwendungsstartzeit
01cd9eda9a2ca5bf.
Error - 30.09.2012 03:11:04 | Computer Name = Nina-PC | Source = Application Error | ID = 1000
Description = Fehlerhafte Anwendung svchost.exe, Version 6.0.6001.18000, Zeitstempel
0x47918b89, fehlerhaftes Modul unknown, Version 0.0.0.0, Zeitstempel 0x00000000,
Ausnahmecode 0xc0000005, Fehleroffset 0x00000000, Prozess-ID 0x494, Anwendungsstartzeit
01cd9edac11bfe5f.
Error - 30.09.2012 03:11:09 | Computer Name = Nina-PC | Source = Steam Client Service | ID = 1
Description = Error: Failed to poke open firewall
Error - 30.09.2012 03:29:57 | Computer Name = Nina-PC | Source = Application Error | ID = 1000
Description = Fehlerhafte Anwendung LiveUpdt.exe, Version 2.0.0.0, Zeitstempel 0x464177a8,
fehlerhaftes Modul kernel32.dll, Version 6.0.6002.18449, Zeitstempel 0x4da47967,
Ausnahmecode 0xe06d7363, Fehleroffset 0x0003fc56, Prozess-ID 0x1630, Anwendungsstartzeit
01cd9edc9b29d7c9.
Error - 30.09.2012 03:56:29 | Computer Name = Nina-PC | Source = Application Error | ID = 1000
Description = Fehlerhafte Anwendung LiveUpdt.exe, Version 2.0.0.0, Zeitstempel 0x464177a8,
fehlerhaftes Modul kernel32.dll, Version 6.0.6002.18449, Zeitstempel 0x4da47967,
Ausnahmecode 0xe06d7363, Fehleroffset 0x0003fc56, Prozess-ID 0x1684, Anwendungsstartzeit
01cd9ee025dee0b2.
Error - 30.09.2012 06:44:54 | Computer Name = Nina-PC | Source = Application Error | ID = 1000
Description = Fehlerhafte Anwendung Application Launcher.exe, Version 2.2.12.63,
Zeitstempel 0x466921ca, fehlerhaftes Modul unknown, Version 0.0.0.0, Zeitstempel
0x00000000, Ausnahmecode 0xc0000005, Fehleroffset 0x059cd200, Prozess-ID 0x590,
Anwendungsstartzeit 01cd9ee65566d1d1.
Error - 30.09.2012 06:59:34 | Computer Name = Nina-PC | Source = EventSystem | ID = 4609
Description =
Error - 30.09.2012 18:21:47 | Computer Name = Nina-PC | Source = Application Error | ID = 1000
Description = Fehlerhafte Anwendung LiveUpdt.exe, Version 2.0.0.0, Zeitstempel 0x464177a8,
fehlerhaftes Modul kernel32.dll, Version 6.0.6002.18449, Zeitstempel 0x4da47967,
Ausnahmecode 0xe06d7363, Fehleroffset 0x0003fc56, Prozess-ID 0x15bc, Anwendungsstartzeit
01cd9f5937690224.
Error - 30.09.2012 18:45:30 | Computer Name = Nina-PC | Source = Perflib | ID = 1010
Description =
[ Media Center Events ]
Error - 26.06.2011 11:33:09 | Computer Name = Nina-PC | Source = Mcx2Svc | ID = 301
Description =
Error - 26.06.2011 11:44:36 | Computer Name = Nina-PC | Source = Mcx2Svc | ID = 301
Description =
Error - 26.06.2011 11:48:07 | Computer Name = Nina-PC | Source = Mcx2Svc | ID = 301
Description =
Error - 26.06.2011 11:56:48 | Computer Name = Nina-PC | Source = McrMgr | ID = 107
Description =
Error - 26.06.2011 14:18:34 | Computer Name = Nina-PC | Source = ehRecvr | ID = 3
Description =
Error - 01.12.2011 15:29:11 | Computer Name = Nina-PC | Source = ehRecvr | ID = 3
Description =
Error - 01.12.2011 15:30:35 | Computer Name = Nina-PC | Source = ehRecvr | ID = 3
Description =
Error - 09.12.2011 15:15:48 | Computer Name = Nina-PC | Source = ehRecvr | ID = 3
Description =
Error - 12.04.2012 14:05:23 | Computer Name = Nina-PC | Source = ehRecvr | ID = 4
Description =
Error - 13.06.2012 12:55:50 | Computer Name = Nina-PC | Source = ehRecvr | ID = 3
Description =
[ OSession Events ]
Error - 15.08.2010 15:48:04 | Computer Name = Nina-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6541.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 14860
seconds with 120 seconds of active time. This session ended with a crash.
Error - 03.03.2011 12:23:19 | Computer Name = Nina-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 253
seconds with 240 seconds of active time. This session ended with a crash.
[ System Events ]
Error - 30.09.2012 07:00:18 | Computer Name = Nina-PC | Source = Service Control Manager | ID = 7026
Description =
Error - 30.09.2012 07:00:18 | Computer Name = Nina-PC | Source = Service Control Manager | ID = 7001
Description =
Error - 30.09.2012 07:00:18 | Computer Name = Nina-PC | Source = Service Control Manager | ID = 7001
Description =
Error - 30.09.2012 07:00:18 | Computer Name = Nina-PC | Source = Service Control Manager | ID = 7001
Description =
Error - 30.09.2012 07:00:18 | Computer Name = Nina-PC | Source = Service Control Manager | ID = 7001
Description =
Error - 30.09.2012 07:00:58 | Computer Name = Nina-PC | Source = Service Control Manager | ID = 7001
Description =
Error - 30.09.2012 18:06:10 | Computer Name = Nina-PC | Source = Service Control Manager | ID = 7024
Description =
Error - 30.09.2012 18:06:10 | Computer Name = Nina-PC | Source = Service Control Manager | ID = 7000
Description =
Error - 30.09.2012 18:12:55 | Computer Name = Nina-PC | Source = Service Control Manager | ID = 7024
Description =
Error - 30.09.2012 18:17:03 | Computer Name = Nina-PC | Source = Service Control Manager | ID = 7024
Description =
< End of report >
|
|
04.10.2012, 22:51
| #7 |
| /// Malwareteam | Windows Vista - Infektion mit Sirefef, Sirefef.AB Was du da gepostet hast ist die Extras.txt von einem OTL-Scan. Ich brauche aber die FRST.txt von einem Scan mit FRST in den Reperaturoptionen.
__________________ Keep Jazzing! DerJazzer Imperare sibi maximum imperium est. ©Seneca Wenn du uns unterstützen möchtest | http://www.anaesthesist-werden.de/ |
|
04.10.2012, 23:17
| #8 |
| | Windows Vista - Infektion mit Sirefef, Sirefef.AB ups Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 02-10-2012 01
Ran by SYSTEM at 05-10-2012 09:38:42
Running from G:\
Windows Vista (TM) Home Premium Service Pack 1 (X86) OS Language: German Standard
The current controlset is ControlSet001
==================== Registry (Whitelisted) ===================
HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [Skytel] Skytel.exe [x]
HKLM\...\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE [61440 2006-11-02] (ASUSTeK Computer INC.)
HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [857648 2007-03-01] (Synaptics, Inc.)
HKLM\...\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [174872 2007-02-12] (Intel Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [39792 2008-10-15] (Adobe Systems Incorporated)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [417792 2009-11-10] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [141608 2010-02-15] (Apple Inc.)
HKLM\...\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe [x]
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [947176 2012-09-12] (Microsoft Corporation)
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [13789728 2009-07-01] (NVIDIA Corporation)
HKLM\...\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe [1458176 2009-10-26] (Motorola Inc.)
HKLM\...\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [5955088 2012-06-28] (Acronis)
HKLM\...\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe [1171336 2012-06-28] (Acronis)
HKLM\...\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [403144 2012-06-28] (Acronis)
HKU\Florian\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-19] (Microsoft Corporation)
HKU\Mcx1\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-19] (Microsoft Corporation)
HKU\Mcx1\...\Winlogon: [Shell] C:\Windows\eHome\McrMgr.exe [173056 2009-04-11] (Microsoft Corporation)
HKU\Nina\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-19] (Microsoft Corporation)
HKU\Nina\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-19] (Microsoft Corporation)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
==================== Services (Whitelisted) ===================
2 AcrSch2Svc; "C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe" [821048 2012-06-28] (Acronis)
2 afcdpsrv; C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe [3459024 2012-10-02] (Acronis)
4 Apple Mobile Device; "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe" [144672 2009-08-28] (Apple Inc.)
4 ASLDRService; C:\Program Files\ATK Hotkey\ASLDRSrv.exe [94208 2007-02-06] ()
2 ATKGFNEXSrv; C:\Program Files\ATKGFNEX\GFNEXSrv.exe [94208 2007-05-15] ()
4 AVerRemote; C:\Program Files\Common Files\AVerMedia\Service\AVerRemote.exe [348160 2009-10-31] (AVerMedia)
4 AVerScheduleService; C:\Program Files\Common Files\AVerMedia\Service\AVerScheduleService.exe [397312 2009-12-07] ()
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [20472 2012-09-12] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [287824 2012-09-12] (Microsoft Corporation)
2 spmgr; C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe [123248 2006-12-29] ()
2 syncagentsrv; "C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe" [5915352 2012-06-28] (Acronis)
4 NMIndexingService; "C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe" [x]
==================== Drivers (Whitelisted) ====================
2 ASMMAP; \??\C:\Program Files\ATKGFNEX\ASMMAP.sys [11632 2007-02-05] ()
3 AtcL001; C:\Windows\System32\DRIVERS\atl01v32.sys [48128 2007-03-15] (Attansic Technology corporation.)
3 AVerAF15DMBTH; C:\Windows\System32\Drivers\AVerAF15DMBTH.sys [569728 2010-05-06] (AVerMedia TECHNOLOGIES, Inc.)
2 ghaio; \??\C:\Program Files\ASUS\NB Probe\SPM\ghaio.sys [15216 2006-11-16] ()
3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [5632 2007-01-24] ( )
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [193552 2012-08-30] (Microsoft Corporation)
3 MTsensor; C:\Windows\System32\DRIVERS\ATKACPI.sys [7680 2006-12-14] (ATK0100)
3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1743232 2007-05-25] ()
4 sptd; C:\Windows\System32\Drivers\sptd.sys [691696 2009-10-31] (Duplex Secure Ltd.)
0 tdrpman; C:\Windows\System32\DRIVERS\tdrpman.sys [775232 2012-10-02] (Acronis)
0 vididr; C:\Windows\System32\DRIVERS\vididr.sys [126880 2012-10-02] (Acronis)
0 vidsflt67; C:\Windows\System32\DRIVERS\vsflt67.sys [86496 2012-10-02] (Acronis)
4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2012-10-05 09:38 - 2012-10-05 09:38 - 00000000 ____D C:\FRST
2012-10-04 09:52 - 2012-10-04 10:15 - 00001905 ____A C:\Windows\diagwrn.xml
2012-10-04 09:52 - 2012-10-04 10:15 - 00001905 ____A C:\Windows\diagerr.xml
2012-10-02 23:12 - 2012-10-02 23:12 - 00000000 ____D C:\Users\Nina\AppData\Roaming\Acronis
2012-10-02 23:10 - 2012-10-02 23:10 - 00775232 ____A (Acronis) C:\Windows\System32\Drivers\tdrpman.sys
2012-10-02 23:10 - 2012-10-02 23:10 - 00614592 ____A (Acronis) C:\Windows\System32\Drivers\timntr.sys
2012-10-02 23:10 - 2012-10-02 23:10 - 00234752 ____A (Acronis) C:\Windows\System32\Drivers\afcdp.sys
2012-10-02 23:09 - 2012-10-02 23:09 - 00177600 ____A (Acronis) C:\Windows\System32\Drivers\snapman.sys
2012-10-02 23:09 - 2012-10-02 23:09 - 00126880 ____A (Acronis) C:\Windows\System32\Drivers\vididr.sys
2012-10-02 23:09 - 2012-10-02 23:09 - 00086496 ____A (Acronis) C:\Windows\System32\Drivers\vsflt67.sys
2012-10-02 23:09 - 2012-10-02 23:09 - 00080416 ____A (Acronis) C:\Windows\System32\Drivers\fltsrv.sys
2012-10-02 23:08 - 2012-10-02 23:08 - 00001011 ____A C:\Users\Public\Desktop\Acronis True Image Home 2012.lnk
2012-10-02 23:08 - 2012-10-02 23:08 - 00000000 ____D C:\Program Files\Acronis
2012-10-02 23:07 - 2012-10-02 23:10 - 00000000 ____D C:\Program Files\Common Files\Acronis
2012-10-02 22:55 - 2012-08-25 23:30 - 225073224 ____A C:\Users\Nina\Desktop\ATIH2012_trial_en-US.exe
2012-10-02 12:33 - 2012-10-02 12:33 - 00181064 ____A (Sysinternals) C:\Windows\PSEXESVC.EXE
2012-10-02 12:32 - 2010-04-26 23:04 - 00381816 ____A (Sysinternals - www.sysinternals.com) C:\Windows\System32\PsExec.exe
2012-10-02 12:26 - 2012-10-02 12:26 - 00000422 ____A C:\Windows\BitsRepairTool.log
2012-10-02 11:56 - 2012-10-02 11:56 - 00000000 ____D C:\Users\Nina\Desktop\Neuer Ordner
2012-10-01 09:11 - 2012-10-01 09:11 - 00000000 ____D C:\Users\Nina\AppData\Local\{ECDEF87C-64BF-4661-B9CC-BF20B5C042C5}
2012-10-01 09:02 - 2012-10-01 09:02 - 00000020 ____A C:\Users\Nina\defogger_reenable
2012-10-01 06:56 - 2012-10-01 06:56 - 00000000 ____D C:\Users\Nina\AppData\Local\{A083496B-F28A-454E-ACD6-AE190C1B0283}
2012-10-01 01:01 - 2012-10-01 01:01 - 00060392 ____A C:\Users\Nina\Desktop\Extras.Txt
2012-10-01 00:57 - 2012-10-01 00:57 - 01379872 ____A C:\Users\Nina\Desktop\OTL.Txt
2012-09-30 23:07 - 2012-09-30 23:07 - 00000000 ____D C:\Users\Nina\AppData\Local\{3A09E88B-5581-46ED-9BC1-37B250087C21}
2012-09-30 21:44 - 2012-09-30 11:45 - 00602112 ____A (OldTimer Tools) C:\Users\Nina\Desktop\OTL.exe
2012-09-30 21:44 - 2012-09-30 11:45 - 00302592 ____A C:\Users\Nina\Desktop\soo9ymcb.exe
2012-09-30 10:04 - 2012-09-30 10:04 - 00000000 ____D C:\Users\Nina\AppData\Roaming\Malwarebytes
2012-09-30 10:02 - 2012-09-30 10:02 - 00000913 ____A C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2012-09-30 10:02 - 2012-09-30 10:02 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-09-30 10:02 - 2012-09-07 05:04 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-30 08:53 - 2012-09-30 08:53 - 00000214 ____A C:\Users\Nina\Desktop\Sid Meier's Civilization V.url
2012-09-30 08:11 - 2012-10-01 09:12 - 00000000 ____D C:\Program Files\Steam
2012-09-30 08:11 - 2012-09-30 23:08 - 00000000 ____D C:\Program Files\Common Files\Steam
2012-09-30 08:11 - 2012-09-30 08:11 - 00000793 ____A C:\Users\Public\Desktop\Steam.lnk
2012-09-30 07:01 - 2012-10-02 12:44 - 00001912 ____A C:\Windows\epplauncher.mif
2012-09-30 06:58 - 2012-10-02 12:43 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-09-30 06:33 - 2012-09-30 23:03 - 00000000 ____D C:\Users\Nina\AppData\Roaming\Haewevv
2012-09-30 06:33 - 2012-09-30 06:36 - 00000000 ____D C:\Users\Nina\AppData\Roaming\Izu
2012-09-30 06:19 - 2012-09-30 06:20 - 00000000 ____D C:\Users\Nina\AppData\Local\{E6D7D3C0-3687-457D-8D8D-AF6830A285E0}
2012-09-29 10:22 - 2012-09-29 10:22 - 00000000 ____D C:\Users\Nina\AppData\Local\{20666CC0-4259-43A3-A916-C011F1229BFD}
2012-09-27 19:57 - 2012-09-27 19:57 - 00000000 ____D C:\Users\Nina\AppData\Local\{D21FCDC8-0591-4A39-A636-7040B1A90BC8}
2012-09-27 07:40 - 2012-08-24 08:27 - 12319744 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-09-27 07:40 - 2012-08-24 08:03 - 09738240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-09-27 07:40 - 2012-08-24 07:59 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-09-27 07:40 - 2012-08-24 07:51 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-09-27 07:40 - 2012-08-24 07:51 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-09-27 07:40 - 2012-08-24 07:51 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-09-27 07:40 - 2012-08-24 07:49 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-09-27 07:40 - 2012-08-24 07:48 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-09-27 07:40 - 2012-08-24 07:47 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-09-27 07:40 - 2012-08-24 07:47 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-09-27 07:40 - 2012-08-24 07:47 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-09-27 07:40 - 2012-08-24 07:45 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-09-27 07:40 - 2012-08-24 07:44 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-09-27 07:40 - 2012-08-24 07:44 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-09-27 07:40 - 2012-08-24 07:43 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-09-27 07:40 - 2012-08-24 07:40 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-09-27 06:49 - 2012-09-27 06:49 - 00000000 ____D C:\Users\Nina\AppData\Local\{928279D6-6C89-49E1-8F47-762BC1025D61}
2012-09-27 04:36 - 2012-09-27 04:36 - 00001880 ____A C:\Users\Public\Desktop\Skype.lnk
2012-09-27 04:36 - 2012-09-27 04:36 - 00000000 ____D C:\Program Files\Common Files\Skype
2012-09-27 02:57 - 2012-09-27 02:57 - 00000000 ____D C:\Users\Nina\AppData\Local\{8771A15B-7446-4500-82BD-7D9955761C20}
2012-09-25 23:16 - 2012-09-25 23:16 - 00000000 ____D C:\Users\Nina\AppData\Local\{75BAB726-26B3-489B-AB66-6C843DD63D67}
2012-09-25 01:44 - 2012-09-25 01:44 - 00000000 ____D C:\Users\Nina\AppData\Local\{8E93B501-DBF1-44CF-8D06-26E71FF5752E}
2012-09-22 11:01 - 2012-09-22 11:01 - 00000000 ____D C:\Users\Nina\AppData\Local\{6396CA56-3F9E-4835-A99D-8072AA846B38}
2012-09-19 11:42 - 2012-09-19 11:42 - 00000000 ____D C:\Users\Florian\AppData\Roaming\dvdcss
10508-02-27 20:36 - 2012-06-02 14:25 - 00000000 ____D C:\Users\Nina\Documents\NINA - Queen of Awesomeness and Antarctica
10508-02-27 20:35 - 2012-06-02 14:25 - 00000000 ____D C:\Users\Nina\Documents\Uni und Schule
10508-02-27 20:34 - 2012-06-07 10:19 - 00000000 ____D C:\Users\Nina\Documents\pics from NZ friends
==================== 3 Months Modified Files ==================
2012-10-04 21:20 - 2009-12-15 22:29 - 00001094 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-10-04 21:20 - 2006-11-02 14:01 - 00032632 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-10-04 21:20 - 2006-11-02 14:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-10-04 21:20 - 2006-11-02 13:47 - 00003296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-10-04 21:20 - 2006-11-02 13:47 - 00003296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-10-04 21:18 - 2007-04-18 09:33 - 00000012 ____A C:\Windows\bthservsdp.dat
2012-10-04 16:20 - 2009-12-15 22:29 - 00001090 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-10-04 15:00 - 2007-11-06 10:54 - 01581341 ____A C:\Windows\WindowsUpdate.log
2012-10-04 10:15 - 2012-10-04 09:52 - 00001905 ____A C:\Windows\diagwrn.xml
2012-10-04 10:15 - 2012-10-04 09:52 - 00001905 ____A C:\Windows\diagerr.xml
2012-10-04 10:14 - 2006-11-02 13:52 - 00000000 ____A C:\Windows\setuperr.log
2012-10-04 10:14 - 2006-11-02 13:52 - 00000000 ____A C:\Windows\setupact.log
2012-10-04 09:54 - 2006-11-02 11:33 - 01458792 ____A C:\Windows\System32\PerfStringBackup.INI
2012-10-04 09:49 - 2007-11-06 12:19 - 00059546 ____A C:\Windows\PFRO.log
2012-10-02 23:10 - 2012-10-02 23:10 - 00775232 ____A (Acronis) C:\Windows\System32\Drivers\tdrpman.sys
2012-10-02 23:10 - 2012-10-02 23:10 - 00614592 ____A (Acronis) C:\Windows\System32\Drivers\timntr.sys
2012-10-02 23:10 - 2012-10-02 23:10 - 00234752 ____A (Acronis) C:\Windows\System32\Drivers\afcdp.sys
2012-10-02 23:09 - 2012-10-02 23:09 - 00177600 ____A (Acronis) C:\Windows\System32\Drivers\snapman.sys
2012-10-02 23:09 - 2012-10-02 23:09 - 00126880 ____A (Acronis) C:\Windows\System32\Drivers\vididr.sys
2012-10-02 23:09 - 2012-10-02 23:09 - 00086496 ____A (Acronis) C:\Windows\System32\Drivers\vsflt67.sys
2012-10-02 23:09 - 2012-10-02 23:09 - 00080416 ____A (Acronis) C:\Windows\System32\Drivers\fltsrv.sys
2012-10-02 23:08 - 2012-10-02 23:08 - 00001011 ____A C:\Users\Public\Desktop\Acronis True Image Home 2012.lnk
2012-10-02 12:54 - 2007-12-26 18:52 - 00052566 ____A C:\Users\Nina\AppData\Roaming\nvModes.001
2012-10-02 12:44 - 2012-09-30 07:01 - 00001912 ____A C:\Windows\epplauncher.mif
2012-10-02 12:33 - 2012-10-02 12:33 - 00181064 ____A (Sysinternals) C:\Windows\PSEXESVC.EXE
2012-10-02 12:26 - 2012-10-02 12:26 - 00000422 ____A C:\Windows\BitsRepairTool.log
2012-10-01 09:02 - 2012-10-01 09:02 - 00000020 ____A C:\Users\Nina\defogger_reenable
2012-10-01 06:55 - 2007-11-06 12:21 - 00045056 ____A C:\Windows\System32\acovcnt.exe
2012-10-01 01:01 - 2012-10-01 01:01 - 00060392 ____A C:\Users\Nina\Desktop\Extras.Txt
2012-10-01 00:57 - 2012-10-01 00:57 - 01379872 ____A C:\Users\Nina\Desktop\OTL.Txt
2012-09-30 11:45 - 2012-09-30 21:44 - 00602112 ____A (OldTimer Tools) C:\Users\Nina\Desktop\OTL.exe
2012-09-30 11:45 - 2012-09-30 21:44 - 00302592 ____A C:\Users\Nina\Desktop\soo9ymcb.exe
2012-09-30 10:02 - 2012-09-30 10:02 - 00000913 ____A C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2012-09-30 09:34 - 2010-02-22 23:39 - 00035541 ____A C:\Users\Florian\AppData\Roaming\nvModes.001
2012-09-30 08:53 - 2012-09-30 08:53 - 00000214 ____A C:\Users\Nina\Desktop\Sid Meier's Civilization V.url
2012-09-30 08:11 - 2012-09-30 08:11 - 00000793 ____A C:\Users\Public\Desktop\Steam.lnk
2012-09-27 07:36 - 2006-11-02 11:24 - 62164608 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-09-27 04:36 - 2012-09-27 04:36 - 00001880 ____A C:\Users\Public\Desktop\Skype.lnk
2012-09-27 03:16 - 2007-12-25 16:47 - 00052566 ____A C:\Users\Nina\AppData\Roaming\nvModes.dat
2012-09-25 01:52 - 2007-11-06 11:11 - 00002631 ____A C:\Users\Nina\Desktop\Microsoft Office Word 2007.lnk
2012-09-19 11:39 - 2010-02-14 13:41 - 00102376 ____A C:\Users\Florian\AppData\Local\GDIPFONTCACHEV1.DAT
2012-09-07 05:04 - 2012-09-30 10:02 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-08-30 10:03 - 2012-08-30 10:03 - 00193552 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\MpFilter.sys
2012-08-30 10:03 - 2012-03-20 08:44 - 00099272 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\NisDrvWFP.sys
2012-08-25 23:30 - 2012-10-02 22:55 - 225073224 ____A C:\Users\Nina\Desktop\ATIH2012_trial_en-US.exe
2012-08-24 08:27 - 2012-09-27 07:40 - 12319744 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-24 08:03 - 2012-09-27 07:40 - 09738240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-24 07:59 - 2012-09-27 07:40 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-24 07:51 - 2012-09-27 07:40 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-24 07:51 - 2012-09-27 07:40 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-24 07:51 - 2012-09-27 07:40 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-24 07:49 - 2012-09-27 07:40 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-24 07:48 - 2012-09-27 07:40 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-24 07:47 - 2012-09-27 07:40 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-24 07:47 - 2012-09-27 07:40 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-08-24 07:47 - 2012-09-27 07:40 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-24 07:45 - 2012-09-27 07:40 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-08-24 07:44 - 2012-09-27 07:40 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-24 07:44 - 2012-09-27 07:40 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-24 07:43 - 2012-09-27 07:40 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-24 07:40 - 2012-09-27 07:40 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-19 07:56 - 2006-11-02 13:47 - 00380544 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-22 18:34 - 2007-12-23 21:51 - 00102376 ____A C:\Users\Nina\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-12 17:15 - 2006-11-02 11:23 - 00000219 ____A C:\Windows\win.ini
ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-1915372461-94194756-3268695451-1000\$898db74ea6967aeb234f4d8d0754815e
ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$898db74ea6967aeb234f4d8d0754815e
==================== Known DLLs (Whitelisted) =================
==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points =========================
Restore point made on: 2012-10-01 04:14:41
Restore point made on: 2012-10-02 07:16:58
Restore point made on: 2012-10-02 12:41:19
Restore point made on: 2012-10-02 13:03:07
Restore point made on: 2012-10-02 13:21:40
Restore point made on: 2012-10-02 23:09:45
Restore point made on: 2012-10-04 10:55:21
==================== Memory info ===========================
Percentage of memory in use: 19%
Total physical RAM: 2046.48 MB
Available physical RAM: 1641.52 MB
Total Pagefile: 1854.95 MB
Available Pagefile: 1708.35 MB
Total Virtual: 2047.88 MB
Available Virtual: 1974.3 MB
==================== Partitions =============================
1 Drive c: (VistaOS) (Fixed) (Total:116.44 GB) (Free:14.89 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (DATA) (Fixed) (Total:109.6 GB) (Free:31.07 GB) NTFS
4 Drive f: () (Removable) (Total:3.85 GB) (Free:0.95 GB) FAT32
5 Drive g: () (Removable) (Total:0.94 GB) (Free:0.65 GB) FAT
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Datentr ### Status GrӇe Frei Dyn GPT
-------- ---------- ------- ------- --- ---
0 Online 233 GB 0 B
1 Online 3946 MB 0 B
2 Online 968 MB 0 B
Last Boot: 2012-10-04 10:01
==================== End Of Log ============================
|
|
05.10.2012, 09:33
| #9 |
| /// Malwareteam | Windows Vista - Infektion mit Sirefef, Sirefef.AB Hi gehe bitte wie folgt vor: Drücke bitte die  + R Taste und schreibe notepad in das Ausführen Fenster.Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument Code:
ATTFilter HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess
2012-09-30 06:33 - 2012-09-30 23:03 - 00000000 ____D C:\Users\Nina\AppData\Roaming\Haewevv
2012-09-30 06:33 - 2012-09-30 06:36 - 00000000 ____D C:\Users\Nina\AppData\Roaming\Izu
C:\$Recycle.Bin\S-1-5-21-1915372461-94194756-3268695451-1000\$898db74ea6967aeb234f4d8d0754815e
C:\$Recycle.Bin\S-1-5-18\$898db74ea6967aeb234f4d8d0754815e
__________________ Keep Jazzing! DerJazzer Imperare sibi maximum imperium est. ©Seneca Wenn du uns unterstützen möchtest | http://www.anaesthesist-werden.de/ |
Linear-Darstellung
