| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Anruf von Bank wg. CitadelWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
30.10.2012, 22:49
| #1 |
 |  Anruf von Bank wg. Citadel Hallo, meine Bank rief mich vorhin an und sagte, dass auf meinem Rechner ein Trojaner namens Citadel sei. Ich soll einen Virenscanner drüberlaufen lassen. Das mache ich gerade, ich habe McAfee, der ist fast fertig und hat bis jetzt nichts gefunden. Meine Frage ist: Wenn der Virenscanner nichts findet ist dann auch wirklich kein Trojaner auf meinem Rechner? Ich habe 2 Wohnsitze mit 2 PCs, es könnte also sein, dass ich auf meinem anderen PC den Trojaner habe, den sehe ich aber übermorgen erst wieder! Vielen Dank für eine Antwort. Wie ihr sicher merkt, kenne ich mich nicht besonders gut aus mit der Materie (was noch maßlos übertrieben ist)... |
|
30.10.2012, 23:07
| #2 |
| /// Malware-holic   | Anruf von Bank wg. Citadel hi
__________________naja, die frage kannst du dir ja eig selbst beantworten, es kann sein, denn wenn der scanner den trojaner schon durchgelassen hatt, muss er ihn auch nicht erkennen :-) schaun wir mal. Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
Code:
ATTFilter activex
netsvcs
msconfig
%SYSTEMDRIVE%\*.
%PROGRAMFILES%\*.exe
%LOCALAPPDATA%\*.exe
%systemroot%\*. /mp /s
C:\Windows\system32\*.tsp
/md5start
userinit.exe
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
ws2ifsl.sys
sceclt.dll
ntelogon.dll
winlogon.exe
logevent.dll
user32.DLL
explorer.exe
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
/md5stop
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\*.dll /lockedfiles
%USERPROFILE%\*.*
%USERPROFILE%\Local Settings\Temp\*.exe
%USERPROFILE%\Local Settings\Temp\*.dll
%USERPROFILE%\Application Data\*.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems|Windows /rs
CREATERESTOREPOINT
__________________ |
|
31.10.2012, 19:14
| #3 |
| | Anruf von Bank wg. Citadel Hallo,
__________________der Link zu OTL funktioniert nicht. Hm, jetzt hab ich es hinbekommen, aber mein Virenscanner plärrt rum, er will OTL nicht downloaden, weil dieser Viren etc. enthält. Sagt McAfee. |
|
31.10.2012, 19:52
| #4 |
| /// Malware-holic | Anruf von Bank wg. Citadel dann deaktiviere es während des scans. otl enthält keine malware, wir nutzen das ja täglich, also keine angst
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
|
31.10.2012, 20:20
| #5 |
| | Anruf von Bank wg. Citadel Hab ich schon. Furchtloses Weib ich! Hier die Scans:OTL Logfile: Code:
ATTFilter OTL logfile created on: 31.10.2012 19:55:01 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\xxx\Downloads Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 8.0.7601.17514) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,87 Gb Total Physical Memory | 1,59 Gb Available Physical Memory | 55,53% Memory free 5,73 Gb Paging File | 3,76 Gb Available in Paging File | 65,55% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 266,99 Gb Total Space | 35,12 Gb Free Space | 13,15% Space Free | Partition Type: NTFS Drive D: | 30,00 Gb Total Space | 4,26 Gb Free Space | 14,20% Space Free | Partition Type: NTFS Computer Name: xxxSLAPTOP | User Name: xxx | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Users\xxx\Downloads\OTL.exe (OldTimer Tools) PRC - C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe (Adobe Systems, Inc.) PRC - C:\Programme\McAfee.com\Agent\mcagent.exe (McAfee, Inc.) PRC - C:\Programme\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.) PRC - C:\Programme\Common Files\Mcafee\Core\mchost.exe (McAfee, Inc.) PRC - C:\Programme\TomTom HOME 2\TomTomHOMEService.exe (TomTom) PRC - c:\Programme\McAfee\SiteAdvisor\saUI.exe (McAfee, Inc.) PRC - C:\Windows\System32\mfevtps.exe (McAfee, Inc.) PRC - C:\Programme\Common Files\Mcafee\SystemCore\mfefire.exe (McAfee, Inc.) PRC - C:\Programme\Common Files\Mcafee\SystemCore\mcshield.exe (McAfee, Inc.) PRC - C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.) PRC - C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\Programme\Squeezebox\SqueezeTray.exe (Logitech Inc.) PRC - C:\Programme\Canon\Solution Menu EX\CNSEUPDT.EXE (CANON INC.) PRC - C:\Programme\Canon\Solution Menu EX\CNSEMAIN.EXE (CANON INC.) PRC - C:\Programme\Canon\IJ Network Scanner Selector EX\CNMNSST.exe (CANON INC.) PRC - C:\Programme\Canon\MyPrinter\BJMYPRT.EXE (CANON INC.) PRC - C:\Windows\explorer.exe (Microsoft Corporation) PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation) PRC - C:\Programme\Windows Sidebar\sidebar.exe (Microsoft Corporation) PRC - C:\Programme\Microsoft Office\OFFICE11\OUTLOOK.EXE (Microsoft Corporation) PRC - C:\Programme\Realtek\Audio\HDA\RtHDVBg.exe (Realtek Semiconductor) PRC - C:\Programme\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation) PRC - C:\Programme\Launch Manager\WButton.exe (Wistron Corp.) PRC - C:\Programme\Launch Manager\HotkeyApp.exe (Wistron) PRC - C:\Programme\Launch Manager\OSD.exe (Wistron Corp.) PRC - C:\Programme\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation) PRC - C:\Programme\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation) PRC - C:\Programme\Common Files\X10\Common\X10nets.exe (X10) PRC - C:\Programme\CyberLink\Power2Go\CLMLSvc.exe (CyberLink) PRC - C:\Programme\Launch Manager\WisLMSvc.exe (Wistron Corp.) PRC - C:\Programme\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation) PRC - C:\Programme\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE (Microsoft Corporation) PRC - C:\Programme\Common Files\MAGIX Services\Database\bin\FABS.exe (MAGIX AG) PRC - c:\Programme\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.) PRC - C:\Programme\Mindjet\MindManager 7\MmReminderService.exe (Mindjet) PRC - C:\Programme\Common Files\microsoft shared\VS7DEBUG\MDM.EXE (Microsoft Corporation) ========== Modules (No Company Name) ========== MOD - C:\Users\xxx\AppData\Local\Temp\pdk-xxx-2512\bd5179a413bc0c4b82eedc22c6cab101\re.dll () MOD - C:\Users\xxx\AppData\Local\Temp\pdk-xxx-2512\eb138ef0e4282611dbf485a302784646\LibYAML.dll () MOD - C:\Users\xxx\AppData\Local\Temp\pdk-xxx-2512\e56c61f7248672819579325af3387035\POSIX.dll () MOD - C:\Users\xxx\AppData\Local\Temp\pdk-xxx-2512\de446fdd1ae335c7d2b9e62bb8cdf765\B.dll () MOD - C:\Users\xxx\AppData\Local\Temp\pdk-xxx-2512\93e7e3d6030f426844228042348210cf\Service.dll () MOD - C:\Users\xxx\AppData\Local\Temp\pdk-xxx-2512\eaeabd54205de2f10c00aea80bbf0d83\Registry.dll () MOD - C:\Users\xxx\AppData\Local\Temp\pdk-xxx-2512\3a7ccbf8181ee5a145227a6dfce3594c\WinError.dll () MOD - C:\Users\xxx\AppData\Local\Temp\pdk-xxx-2512\df1ba73f49c38cbbc7a11c779c3506d2\OLE.dll () MOD - C:\Users\Sabine\AppData\Local\Temp\pdk-Sabine-2512\f233f63b6654362865c7577442edb9e3\Win32.dll () MOD - C:\Users\Sabine\AppData\Local\Temp\pdk-Sabine-2512\7ef0d901bf4203fbcf7a0fff0e82aa5f\Encode.dll () MOD - C:\Users\Sabine\AppData\Local\Temp\pdk-Sabine-2512\60ff464e01c2cd5526dbdad5a125081d\Dumper.dll () MOD - C:\Users\Sabine\AppData\Local\Temp\pdk-Sabine-2512\d1e7c33431cd8713f2ce3582829a8b14\Socket.dll () MOD - C:\Users\Sabine\AppData\Local\Temp\pdk-Sabine-2512\d10c2c06ba2044cccc247c4315f5c7d3\Process.dll () MOD - C:\Users\Sabine\AppData\Local\Temp\pdk-Sabine-2512\c5cce8d16a1bd48692b421dcf46d3396\Util.dll () MOD - C:\Users\Sabine\AppData\Local\Temp\pdk-Sabine-2512\32785c19dc6898fbbbf06f3b776edd08\Fcntl.dll () MOD - C:\Users\Sabine\AppData\Local\Temp\pdk-Sabine-2512\4461f48e31bde5c56b31b973b773de09\List.dll () MOD - C:\Users\Sabine\AppData\Local\Temp\pdk-Sabine-2512\5ffd05b2cbd58528e56519784ca9c869\Hostname.dll () MOD - C:\Users\Sabine\AppData\Local\Temp\pdk-Sabine-2512\31638f63e39b38d3e250a9a57cb9d1c5\Cwd.dll () MOD - C:\Windows\System32\Macromed\Flash\NPSWF32_11_4_402_287.dll () MOD - C:\Programme\Mozilla Firefox\mozjs.dll () MOD - C:\Windows\System32\IccLibDll.dll () MOD - C:\Programme\Common Files\Apple\Apple Application Support\zlib1.dll () MOD - C:\Programme\Common Files\Apple\Apple Application Support\libxml2.dll () MOD - C:\Programme\CyberLink\Power2Go\CLMLSvcPS.dll () MOD - C:\Programme\CyberLink\Power2Go\CLMediaLibrary.dll () MOD - C:\Programme\Mindjet\MindManager 7\zlib.dll () ========== Services (SafeList) ========== SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated) SRV - (McODS) -- C:\Programme\McAfee\VirusScan\mcods.exe (McAfee, Inc.) SRV - (MSK80Service) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.) SRV - (McProxy) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.) SRV - (McNASvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.) SRV - (McNaiAnn) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.) SRV - (mcmscsvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.) SRV - (McMPFSvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.) SRV - (McAfee SiteAdvisor Service) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.) SRV - (TomTomHOMEService) -- C:\Programme\TomTom HOME 2\TomTomHOMEService.exe (TomTom) SRV - (mfevtp) -- C:\Windows\System32\mfevtps.exe (McAfee, Inc.) SRV - (mfefire) -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe () SRV - (McShield) -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe () SRV - (MozillaMaintenance) -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation) SRV - (WMPNetworkSvc) -- C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation) SRV - (IAStorDataMgrSvc) -- C:\Programme\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation) SRV - (UNS) -- C:\Programme\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation) SRV - (LMS) -- C:\Programme\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation) SRV - (x10nets) -- C:\Programme\Common Files\X10\Common\X10nets.exe (X10) SRV - (WisLMSvc) -- C:\Programme\Launch Manager\WisLMSvc.exe (Wistron Corp.) SRV - (wlidsvc) -- C:\Programme\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation) SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation) SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation) SRV - (Fabs) -- C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe (MAGIX AG) SRV - (FirebirdServerMAGIXInstance) -- C:\Programme\Common Files\MAGIX Services\Database\bin\fbserver.exe (MAGIX®) SRV - (PSI_SVC_2) -- c:\Programme\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.) SRV - (ose) -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE (Microsoft Corporation) SRV - (MDM) -- C:\Programme\Common Files\microsoft shared\VS7DEBUG\MDM.EXE (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV - (mfeavfk01) -- File not found DRV - (AnyDVD) -- C:\Windows\System32\drivers\AnyDVD.sys (SlySoft, Inc.) DRV - (cfwids) -- C:\Windows\System32\drivers\cfwids.sys (McAfee, Inc.) DRV - (mfewfpk) -- C:\Windows\System32\drivers\mfewfpk.sys (McAfee, Inc.) DRV - (mferkdet) -- C:\Windows\System32\drivers\mferkdet.sys (McAfee, Inc.) DRV - (mfehidk) -- C:\Windows\System32\drivers\mfehidk.sys (McAfee, Inc.) DRV - (mfefirek) -- C:\Windows\System32\drivers\mfefirek.sys (McAfee, Inc.) DRV - (mfebopk) -- C:\Windows\System32\drivers\mfebopk.sys (McAfee, Inc.) DRV - (mfeavfk) -- C:\Windows\System32\drivers\mfeavfk.sys (McAfee, Inc.) DRV - (mfeapfk) -- C:\Windows\System32\drivers\mfeapfk.sys (McAfee, Inc.) DRV - (HipShieldK) -- C:\Windows\System32\drivers\HipShieldK.sys (McAfee, Inc.) DRV - (truecrypt) -- C:\Windows\System32\drivers\truecrypt.sys (TrueCrypt Foundation) DRV - (TsUsbFlt) -- C:\Windows\System32\drivers\TsUsbFlt.sys (Microsoft Corporation) DRV - (WinUsb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation) DRV - (rtl8192se) -- C:\Windows\System32\drivers\rtl8192se.sys (Realtek Semiconductor Corporation ) DRV - (RSUSBSTOR) -- C:\Windows\System32\drivers\RtsUStor.sys (Realtek Semiconductor Corp.) DRV - (L1C) -- C:\Windows\System32\drivers\L1C62x86.sys (Atheros Communications, Inc.) DRV - (Impcd) -- C:\Windows\System32\drivers\Impcd.sys (Intel Corporation) DRV - (WFMC_VAD) -- C:\Windows\System32\drivers\wfmcvad.sys (WiFi Media Connect) DRV - (NxpCap) -- C:\Windows\System32\drivers\NxpCap.sys (NXP Semiconductors Germany GmbH) DRV - (IntcDAud) -- C:\Windows\System32\drivers\IntcDAud.sys (Intel(R) Corporation) DRV - (uiwbrdr) -- C:\Windows\System32\drivers\uiwbrdr.SYS (WEB.DE GmbH) DRV - (HECI) -- C:\Windows\System32\drivers\HECI.sys (Intel Corporation) DRV - (mod7700) -- C:\Windows\System32\drivers\mod7700.sys (DiBcom SA) DRV - (vwifimp) -- C:\Windows\System32\drivers\vwifimp.sys (Microsoft Corporation) DRV - (netr28u) -- C:\Windows\System32\drivers\netr28u.sys (Ralink Technology Corp.) DRV - (XUIF) -- C:\Windows\System32\drivers\x10ufx2.sys (X10 Wireless Technology, Inc.) DRV - (X10Hid) -- C:\Windows\System32\drivers\x10hid.sys (X10 Wireless Technology, Inc.) DRV - (athrusb) -- C:\Windows\System32\drivers\athrusb.sys (Atheros Communications, Inc.) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local IE - HKU\S-1-5-21-3542620766-992799415-2828400377-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.aldi.com IE - HKU\S-1-5-21-3542620766-992799415-2828400377-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://medion.msn.com [binary data] IE - HKU\S-1-5-21-3542620766-992799415-2828400377-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1 IE - HKU\S-1-5-21-3542620766-992799415-2828400377-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank IE - HKU\S-1-5-21-3542620766-992799415-2828400377-1000\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Programme\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) IE - HKU\S-1-5-21-3542620766-992799415-2828400377-1000\..\SearchScopes,DefaultScope = {C09A521B-C1F3-4F84-80EA-BDCA902E3EDF} IE - HKU\S-1-5-21-3542620766-992799415-2828400377-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKU\S-1-5-21-3542620766-992799415-2828400377-1000\..\SearchScopes\{AD77EDF3-8E17-4122-87A0-4A32B631BCEA}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&form=MEDTDF&pc=MAMD&src=IE-SearchBox IE - HKU\S-1-5-21-3542620766-992799415-2828400377-1000\..\SearchScopes\{C09A521B-C1F3-4F84-80EA-BDCA902E3EDF}: "URL" = hxxp://www.google.de/search?q={searchTerms} IE - HKU\S-1-5-21-3542620766-992799415-2828400377-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-3542620766-992799415-2828400377-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local IE - HKU\S-1-5-21-3542620766-992799415-2828400377-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.aldi.com IE - HKU\S-1-5-21-3542620766-992799415-2828400377-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://medion.msn.com [binary data] IE - HKU\S-1-5-21-3542620766-992799415-2828400377-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1 IE - HKU\S-1-5-21-3542620766-992799415-2828400377-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/ IE - HKU\S-1-5-21-3542620766-992799415-2828400377-1005\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Programme\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) IE - HKU\S-1-5-21-3542620766-992799415-2828400377-1005\..\SearchScopes,DefaultScope = {F720EBC9-453E-4A1A-A1AE-0E05E4897AD1} IE - HKU\S-1-5-21-3542620766-992799415-2828400377-1005\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKU\S-1-5-21-3542620766-992799415-2828400377-1005\..\SearchScopes\{F720EBC9-453E-4A1A-A1AE-0E05E4897AD1}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&form=MEDTDF&pc=MAMD&src=IE-SearchBox IE - HKU\S-1-5-21-3542620766-992799415-2828400377-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de" FF - prefs.js..extensions.enabledAddons: toolbar@web.de:2.3.1 FF - prefs.js..extensions.enabledAddons: {4ED1F68A-5463-4931-9384-8FFF5ED91D92}:3.5.0 FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198 FF - prefs.js..network.proxy.type: 0 FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_4_402_287.dll () FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.) FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google) FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_35: C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\progra~1\mcafee\msc\npmcsn~1.dll () FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files\McAfee\SiteAdvisor [2012.08.26 10:15:45 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{D19CA586-DD6C-4a0a-96F8-14644F340D60}: C:\Program Files\Common Files\McAfee\SystemCore [2012.10.29 15:54:05 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.07.01 17:36:59 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.08.16 15:58:36 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\msktbird@mcafee.com: C:\Program Files\McAfee\MSK [2012.10.24 18:14:47 | 000,000,000 | ---D | M] [2010.06.27 13:01:14 | 000,000,000 | ---D | M] (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\Extensions [2012.10.24 05:26:33 | 000,000,000 | ---D | M] (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\Firefox\Profiles\9bngy188.default\extensions [2012.10.17 19:45:30 | 000,558,413 | ---- | M] () (No name found) -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\9bngy188.default\extensions\toolbar@web.de.xpi [2010.09.11 08:54:37 | 000,002,057 | ---- | M] () -- C:\Users\xxx\AppData\Roaming\mozilla\firefox\profiles\9bngy188.default\searchplugins\youtube-videosuche.xml [2012.09.05 20:43:37 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions [2010.09.29 18:45:50 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Programme\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1} [2012.06.27 19:54:21 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2012.09.05 20:43:37 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2011.12.27 15:12:58 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\distribution\extensions [2011.12.27 15:12:58 | 000,000,000 | ---D | M] (WEB.DE Toolbar) -- C:\Programme\Mozilla Firefox\distribution\extensions\toolbar@web.de [2012.08.26 10:15:45 | 000,000,000 | ---D | M] (McAfee SiteAdvisor) -- C:\PROGRAM FILES\MCAFEE\SITEADVISOR [2012.05.06 17:11:12 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2011.04.14 13:01:38 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\mozilla firefox\components\Scriptff.dll [2012.05.06 17:11:08 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.05.06 17:11:08 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012.05.06 17:11:08 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2012.05.06 17:11:08 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2012.05.06 17:11:08 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2012.05.06 17:11:08 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2009.06.10 22:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O2 - BHO: (CmjBrowserHelperObject Object) - {07A11D74-9D25-4fea-A833-8B0D76A5577A} - C:\Programme\Mindjet\MindManager 7\Mm7InternetExplorer.dll (Mindjet) O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll File not found O2 - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Programme\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.) O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Programme\Common Files\Mcafee\SystemCore\ScriptSn.20120627073748.dll (McAfee, Inc.) O2 - BHO: (Windows Live ID-Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Programme\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) O2 - BHO: (FDMIECookiesBHO Class) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Programme\Free Download Manager\iefdm2.dll () O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Programme\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Programme\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.) O3 - HKU\S-1-5-21-3542620766-992799415-2828400377-1000\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O3 - HKU\S-1-5-21-3542620766-992799415-2828400377-1000\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Programme\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.) O3 - HKU\S-1-5-21-3542620766-992799415-2828400377-1005\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O3 - HKU\S-1-5-21-3542620766-992799415-2828400377-1005\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Programme\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.) O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.) O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.) O4 - HKLM..\Run: [CanonSolutionMenuEx] C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE (CANON INC.) O4 - HKLM..\Run: [CLMLServer] C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe (CyberLink) O4 - HKLM..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe (Wistron) O4 - HKLM..\Run: [IJNetworkScannerSelectorEX] C:\Program Files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe (CANON INC.) O4 - HKLM..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe" File not found O4 - HKLM..\Run: [LMgrVolOSD] C:\Program Files\Launch Manager\OSD.exe (Wistron Corp.) O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.) O4 - HKLM..\Run: [MMReminderService] C:\Programme\Mindjet\MindManager 7\MmReminderService.exe (Mindjet) O4 - HKLM..\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe (Realtek Semiconductor) O4 - HKLM..\Run: [Wbutton] C:\Program Files\Launch Manager\Wbutton.exe (Wistron Corp.) O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation) O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation) O4 - Startup: C:\Users\Hans-Günter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Sabine\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.) O4 - Startup: C:\Users\Sabine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Sabine\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O7 - HKU\S-1-5-21-3542620766-992799415-2828400377-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-3542620766-992799415-2828400377-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2 O7 - HKU\S-1-5-21-3542620766-992799415-2828400377-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1 O7 - HKU\S-1-5-21-3542620766-992799415-2828400377-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-3542620766-992799415-2828400377-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2 O7 - HKU\S-1-5-21-3542620766-992799415-2828400377-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1 O8 - Extra context menu item: Alles mit FDM herunterladen - C:\Program Files\Free Download Manager\dlall.htm () O8 - Extra context menu item: Auswahl mit FDM herunterladen - C:\Program Files\Free Download Manager\dlselected.htm () O8 - Extra context menu item: Datei mit FDM herunterladen - C:\Program Files\Free Download Manager\dllink.htm () O8 - Extra context menu item: Nach Microsoft &Excel exportieren - C:\Programme\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation) O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 File not found O8 - Extra context menu item: Videos mit FDM herunterladen - C:\Program Files\Free Download Manager\dlfvideo.htm () O9 - Extra Button: eBay - Der weltweite Online-Marktplatz - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-31/4 File not found O9 - Extra 'Tools' menuitem : eBay - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-31/4 File not found O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O9 - Extra Button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation) O9 - Extra Button: An Mindjet MindManager senden - {941E1A34-C6AF-4baa-A973-224F9C3E04BF} - C:\Programme\Mindjet\MindManager 7\Mm7InternetExplorer.dll (Mindjet) O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Programme\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Programme\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000010 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.) O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35) O16 - DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx (WRC Class) O16 - DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{45E7A42D-34F3-4E38-8108-0519D5D90937}: DhcpNameServer = 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8CE461E9-3F24-4351-85F3-DE5D1EF8596C}: DhcpNameServer = 61.177.7.1 218.104.32.106 168.95.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A17F4394-3000-435E-9E5E-4BB6BCAF3A96}: DhcpNameServer = 192.168.11.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B0BC96E0-9998-449F-8408-8CF876885741}: DhcpNameServer = 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D42707D7-FE12-4E4E-B987-A28FC5B4F925}: DhcpNameServer = 192.168.1.1 O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Programme\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation) O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation) O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programme\Common Files\microsoft shared\Web Components\10\OWC10.DLL (Microsoft Corporation) O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Common Files\microsoft shared\Web Components\11\OWC11.DLL (Microsoft Corporation) O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Programme\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation) O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Programme\McAfee\MSC\McSnIePl.dll (McAfee, Inc.) O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009.06.10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2012.10.31 20:02:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee [2012.10.27 09:52:26 | 000,000,000 | ---D | C] -- C:\updates [2012.10.27 09:51:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Logitech Media Server [2012.10.27 09:51:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Squeezebox [2012.10.27 09:51:05 | 000,000,000 | ---D | C] -- C:\Program Files\Squeezebox [2012.10.24 18:07:35 | 000,146,872 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\HipShieldK.sys [2012.10.10 05:51:54 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll [2012.10.10 05:51:25 | 000,271,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe [2012.10.10 05:51:25 | 000,169,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winsrv.dll [2012.10.10 05:51:24 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll [2012.10.10 05:51:24 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll [2012.10.10 05:51:23 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll [2012.10.10 05:51:23 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll [2012.10.10 05:51:23 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll [2012.10.10 05:51:23 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll [2012.10.10 05:51:23 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll [2012.10.10 05:51:23 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll [2012.10.10 05:51:22 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll [2012.10.10 05:51:22 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll [2012.10.10 05:51:22 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll [2012.10.10 05:51:22 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll [2012.10.10 05:51:21 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll [2012.10.10 05:51:21 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll [2012.10.10 05:51:21 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll [2012.10.10 05:51:21 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll [2012.10.10 05:51:21 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll [2012.10.10 05:51:21 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll [2012.10.10 05:51:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll [2012.10.10 05:51:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll [2012.10.10 05:51:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll [2012.10.10 05:51:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll [2012.10.10 05:51:16 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll [2012.10.10 05:51:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll [2012.10.10 05:51:15 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll [2012.10.10 05:51:15 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll [2012.10.10 05:51:14 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll [2012.10.10 05:51:13 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll [2012.10.10 05:49:48 | 003,968,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe [2012.10.10 05:49:48 | 003,914,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2012.10.31 20:03:26 | 318,981,120 | ---- | M] () -- C:\Users\Sabine\Documents\SabineOutlook.pst [2012.10.31 19:58:02 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2012.10.31 19:29:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2012.10.31 18:51:59 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2012.10.31 18:48:02 | 000,654,166 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2012.10.31 18:48:02 | 000,616,008 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2012.10.31 18:48:02 | 000,130,006 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2012.10.31 18:48:02 | 000,106,388 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2012.10.31 18:44:45 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.10.29 15:57:56 | 000,009,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2012.10.29 15:57:56 | 000,009,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2012.10.29 15:50:25 | 2307,862,528 | -HS- | M] () -- C:\hiberfil.sys [2012.10.27 09:51:50 | 000,001,016 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Logitech Media Server-Taskleisten-Tool.lnk [2012.10.09 18:29:08 | 000,696,760 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe [2012.10.09 18:29:08 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl [2012.10.04 05:55:27 | 000,005,250 | ---- | M] () -- C:\Users\Sabine\Desktop\thumbnail.aspx.jpg [2012.10.04 05:53:49 | 000,058,475 | ---- | M] () -- C:\Users\Sabine\Desktop\440px-New-York-City---Manhattan---Central-Park---(Gentry).jpg [2012.10.04 05:53:10 | 000,042,665 | ---- | M] () -- C:\Users\Sabine\Desktop\240px-Location_of_Central_Park-fr.svg.png [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files Created - No Company Name ========== [2012.10.27 09:51:50 | 000,001,016 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Logitech Media Server-Taskleisten-Tool.lnk [2012.10.04 05:55:26 | 000,005,250 | ---- | C] () -- C:\Users\Sabine\Desktop\thumbnail.aspx.jpg [2012.10.04 05:53:49 | 000,058,475 | ---- | C] () -- C:\Users\Sabine\Desktop\440px-New-York-City---Manhattan---Central-Park---(Gentry).jpg [2012.10.04 05:53:09 | 000,042,665 | ---- | C] () -- C:\Users\Sabine\Desktop\240px-Location_of_Central_Park-fr.svg.png [2012.02.18 18:34:00 | 000,000,125 | -HS- | C] () -- C:\ProgramData\.zreglib [2012.01.10 20:29:54 | 013,904,384 | ---- | C] () -- C:\Windows\System32\ig4icd32.dll [2012.01.10 20:14:34 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll [2011.09.04 12:36:56 | 000,004,096 | -H-- | C] () -- C:\Users\Sabine\AppData\Local\keyfile3.drm [2011.08.31 18:46:18 | 000,128,204 | ---- | C] () -- C:\Windows\System32\igcompkrng575.bin [2011.08.31 18:46:12 | 000,105,608 | ---- | C] () -- C:\Windows\System32\igfcg575m.bin [2011.08.31 18:46:10 | 000,867,020 | ---- | C] () -- C:\Windows\System32\igkrng575.bin [2011.08.31 18:13:52 | 000,094,208 | ---- | C] () -- C:\Windows\System32\IccLibDll.dll [2011.05.21 11:46:19 | 000,116,224 | ---- | C] () -- C:\Windows\System32\pdfcmnnt.dll [2011.01.30 20:34:32 | 000,000,680 | RHS- | C] () -- C:\Users\Sabine\ntuser.pol [2010.09.29 18:46:50 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat [2010.09.12 14:01:13 | 000,139,008 | ---- | C] () -- C:\Users\Sabine\MarkusKatzenmaier.elfo ========== ZeroAccess Check ========== [2009.07.14 05:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 05:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.20 13:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2009.07.14 02:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== LOP Check ========== [2011.04.30 21:36:45 | 000,000,000 | ---D | M] -- C:\Users\Hans-Günter\AppData\Roaming\Amazon [2012.08.24 21:19:16 | 000,000,000 | ---D | M] -- C:\Users\Hans-Günter\AppData\Roaming\Buhl Data Service [2012.08.24 21:33:20 | 000,000,000 | ---D | M] -- C:\Users\Hans-Günter\AppData\Roaming\Buhl Data Service GmbH [2011.04.23 06:03:11 | 000,000,000 | ---D | M] -- C:\Users\Hans-Günter\AppData\Roaming\Bump Technologies, Inc [2012.06.10 17:43:38 | 000,000,000 | ---D | M] -- C:\Users\Hans-Günter\AppData\Roaming\Canon [2012.10.29 06:49:18 | 000,000,000 | ---D | M] -- C:\Users\Hans-Günter\AppData\Roaming\Dropbox [2012.01.30 05:55:00 | 000,000,000 | ---D | M] -- C:\Users\Hans-Günter\AppData\Roaming\Free Download Manager [2012.05.28 19:16:06 | 000,000,000 | ---D | M] -- C:\Users\Hans-Günter\AppData\Roaming\Garmin [2012.08.14 09:51:24 | 000,000,000 | ---D | M] -- C:\Users\Hans-Günter\AppData\Roaming\pdfforge [2012.03.11 07:36:41 | 000,000,000 | ---D | M] -- C:\Users\Hans-Günter\AppData\Roaming\stickies [2011.05.14 07:35:58 | 000,000,000 | ---D | M] -- C:\Users\Hans-Günter\AppData\Roaming\Tobit [2010.09.19 21:13:15 | 000,000,000 | ---D | M] -- C:\Users\Hans-Günter\AppData\Roaming\TomTom [2011.09.13 08:37:38 | 000,000,000 | ---D | M] -- C:\Users\Hans-Günter\AppData\Roaming\TrueCrypt [2011.11.25 22:40:55 | 000,000,000 | ---D | M] -- C:\Users\Hans-Günter\AppData\Roaming\TS3Client [2010.08.03 22:27:39 | 000,000,000 | ---D | M] -- C:\Users\Hans-Günter\AppData\Roaming\WEB.DE [2012.04.19 20:52:27 | 000,000,000 | ---D | M] -- C:\Users\Sabine\AppData\Roaming\10 Finger Test [2012.06.10 14:57:08 | 000,000,000 | ---D | M] -- C:\Users\Sabine\AppData\Roaming\Canon [2012.10.31 18:50:35 | 000,000,000 | ---D | M] -- C:\Users\Sabine\AppData\Roaming\Dropbox [2011.10.07 16:43:49 | 000,000,000 | ---D | M] -- C:\Users\Sabine\AppData\Roaming\elsterformular [2012.01.28 15:22:44 | 000,000,000 | ---D | M] -- C:\Users\Sabine\AppData\Roaming\Free Download Manager [2012.03.10 17:13:39 | 000,000,000 | ---D | M] -- C:\Users\Sabine\AppData\Roaming\stickies [2011.04.17 15:45:37 | 000,000,000 | -HSD | M] -- C:\Users\TV\AppData\Roaming\.# [2011.11.25 18:57:34 | 000,000,000 | ---D | M] -- C:\Users\TV\AppData\Roaming\.minecraft [2011.04.17 15:45:40 | 000,000,000 | ---D | M] -- C:\Users\TV\AppData\Roaming\ALDI_SUED_Mah_Jong [2012.06.10 20:41:05 | 000,000,000 | ---D | M] -- C:\Users\TV\AppData\Roaming\Canon [2011.12.19 18:22:03 | 000,000,000 | ---D | M] -- C:\Users\TV\AppData\Roaming\conkeror.mozdev.org [2011.12.19 18:32:32 | 000,000,000 | ---D | M] -- C:\Users\TV\AppData\Roaming\Langenscheidt [2011.12.19 18:23:14 | 000,000,000 | ---D | M] -- C:\Users\TV\AppData\Roaming\lingDIALOG [2012.03.11 07:35:00 | 000,000,000 | ---D | M] -- C:\Users\TV\AppData\Roaming\stickies [2011.06.28 17:52:03 | 000,000,000 | ---D | M] -- C:\Users\TV\AppData\Roaming\The Path [2011.05.30 13:15:48 | 000,000,000 | ---D | M] -- C:\Users\TV\AppData\Roaming\TS3Client ========== Purity Check ========== < End of report > OTL Logfile: Code:
ATTFilter OTL Extras logfile created on: 31.10.2012 19:55:01 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Sabine\Downloads
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
2,87 Gb Total Physical Memory | 1,59 Gb Available Physical Memory | 55,53% Memory free
5,73 Gb Paging File | 3,76 Gb Available in Paging File | 65,55% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 266,99 Gb Total Space | 35,12 Gb Free Space | 13,15% Space Free | Partition Type: NTFS
Drive D: | 30,00 Gb Total Space | 4,26 Gb Free Space | 14,20% Space Free | Partition Type: NTFS
Computer Name: xxxLAPTOP | User Name: xxx| Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
[HKEY_USERS\S-1-5-21-3542620766-992799415-2828400377-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
[HKEY_USERS\S-1-5-21-3542620766-992799415-2828400377-1005\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"9000:TCP" = 9000:TCP:*:Enabled:Logitech Media Server 9000 tcp (UI)
"9001:TCP" = 9001:TCP:*:Enabled:Logitech Media Server 9001 tcp (UI)
"9002:TCP" = 9002:TCP:*:Enabled:Logitech Media Server 9002 tcp (UI)
"9003:TCP" = 9003:TCP:*:Enabled:Logitech Media Server 9003 tcp (UI)
"9004:TCP" = 9004:TCP:*:Enabled:Logitech Media Server 9004 tcp (UI)
"9005:TCP" = 9005:TCP:*:Enabled:Logitech Media Server 9005 tcp (UI)
"9006:TCP" = 9006:TCP:*:Enabled:Logitech Media Server 9006 tcp (UI)
"9007:TCP" = 9007:TCP:*:Enabled:Logitech Media Server 9007 tcp (UI)
"9008:TCP" = 9008:TCP:*:Enabled:Logitech Media Server 9008 tcp (UI)
"9009:TCP" = 9009:TCP:*:Enabled:Logitech Media Server 9009 tcp (UI)
"9010:TCP" = 9010:TCP:*:Enabled:Logitech Media Server 9010 tcp (UI)
"9100:TCP" = 9100:TCP:*:Enabled:Logitech Media Server 9100 tcp (UI)
"8000:TCP" = 8000:TCP:*:Enabled:Logitech Media Server 8000 tcp (UI)
"10000:TCP" = 10000:TCP:*:Enabled:Logitech Media Server 10000 tcp (UI)
"9090:TCP" = 9090:TCP:*:Enabled:Logitech Media Server 9090 tcp (UI)
"3483:UDP" = 3483:UDP:*:Enabled:Logitech Media Server 3483 udp
"3483:TCP" = 3483:TCP:*:Enabled:Logitech Media Server 3483 tcp
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"9000:TCP" = 9000:TCP:*:Enabled:Logitech Media Server 9000 tcp (UI)
"9001:TCP" = 9001:TCP:*:Enabled:Logitech Media Server 9001 tcp (UI)
"9002:TCP" = 9002:TCP:*:Enabled:Logitech Media Server 9002 tcp (UI)
"9003:TCP" = 9003:TCP:*:Enabled:Logitech Media Server 9003 tcp (UI)
"9004:TCP" = 9004:TCP:*:Enabled:Logitech Media Server 9004 tcp (UI)
"9005:TCP" = 9005:TCP:*:Enabled:Logitech Media Server 9005 tcp (UI)
"9006:TCP" = 9006:TCP:*:Enabled:Logitech Media Server 9006 tcp (UI)
"9007:TCP" = 9007:TCP:*:Enabled:Logitech Media Server 9007 tcp (UI)
"9008:TCP" = 9008:TCP:*:Enabled:Logitech Media Server 9008 tcp (UI)
"9009:TCP" = 9009:TCP:*:Enabled:Logitech Media Server 9009 tcp (UI)
"9010:TCP" = 9010:TCP:*:Enabled:Logitech Media Server 9010 tcp (UI)
"9100:TCP" = 9100:TCP:*:Enabled:Logitech Media Server 9100 tcp (UI)
"8000:TCP" = 8000:TCP:*:Enabled:Logitech Media Server 8000 tcp (UI)
"10000:TCP" = 10000:TCP:*:Enabled:Logitech Media Server 10000 tcp (UI)
"9090:TCP" = 9090:TCP:*:Enabled:Logitech Media Server 9090 tcp (UI)
"3483:UDP" = 3483:UDP:*:Enabled:Logitech Media Server 3483 udp
"3483:TCP" = 3483:TCP:*:Enabled:Logitech Media Server 3483 tcp
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{076D1951-0E8F-4FE2-AF88-990C1BA2D0EE}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{09511A11-F907-49C3-814F-5F97E2F0C47C}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{13690EFF-466C-4B68-98F3-CA9650A1750A}" = rport=137 | protocol=17 | dir=out | app=system |
"{2FEB29E4-FA17-4CEE-BFA5-D16A2B013DF2}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{4A4D3DA0-04E8-4970-8917-A0FBB6D771C0}" = rport=445 | protocol=6 | dir=out | app=system |
"{50CFCC9D-8A76-43CB-90D4-4AD2998FB8A6}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{6A2C8A0E-70E0-4017-AFA0-59289BE041C0}" = lport=445 | protocol=6 | dir=in | app=system |
"{6A5EB1D6-C72F-40BD-BE86-9FACEAFDADE6}" = lport=139 | protocol=6 | dir=in | app=system |
"{6AD2EF9C-5B00-4651-9B98-5D254241A92A}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{6D822D91-2CA5-4982-8D2E-459B6EA4CB24}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{6FD28064-979B-4164-B764-E18E75965FD2}" = rport=10243 | protocol=6 | dir=out | app=system |
"{80065459-4C51-40B0-B879-77E3DF05963B}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{81AEF93B-5DF8-45E2-9B4A-8C4BA722AEFD}" = lport=2869 | protocol=6 | dir=in | app=system |
"{93E066D2-DDDC-4557-B0FB-9D99023DDA7B}" = rport=139 | protocol=6 | dir=out | app=system |
"{96B22A02-D52B-4E9A-A6C7-10C4A3FE9ABC}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{986FD3AD-BCFF-4201-A3E3-59538B219DC2}" = lport=2869 | protocol=6 | dir=in | app=system |
"{98E00CC3-3035-4224-92EA-D95E17B72FAB}" = lport=10243 | protocol=6 | dir=in | app=system |
"{9CF5AD19-40D4-4B32-81F1-1AF64A2285B0}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{A1889C5A-8389-4339-9EAB-18E9875689BD}" = lport=138 | protocol=17 | dir=in | app=system |
"{BE7A75FE-792C-4A66-994C-FB294B236EE9}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{C6B91B9D-5F98-49DB-860B-AD4E50B87823}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{D5B573C4-4612-4E89-9002-D0248DEBC951}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{E35AF82E-9310-40F4-A92D-E60C60E2A7FA}" = rport=138 | protocol=17 | dir=out | app=system |
"{EEC27033-0D49-4848-A6FB-EEE6AEE3B123}" = lport=137 | protocol=17 | dir=in | app=system |
"{F0D5FA73-F08D-4279-9591-9A65DA2B9318}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01417865-1344-4282-8860-043CE113653D}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{01A1D1F4-CE8C-4CF6-A82E-0EE229FEF85E}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{15ED5D6F-FA49-4322-A040-53206AB176DD}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{173DE536-8721-4C2F-B9FF-42AC38706BE5}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{1FFC19CE-C46A-4FA9-A763-8AB8CF9C74BB}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{2D1115D6-3ED6-43A9-884A-DE4246C1B3BE}" = protocol=6 | dir=in | app=c:\users\sabine\appdata\roaming\dropbox\bin\dropbox.exe |
"{31F7F576-3DD7-4C0C-BF73-632FFB6059A5}" = protocol=6 | dir=in | app=c:\program files\tobit radio.fx\server\rfx-server.exe |
"{36A5DE59-853C-4799-A16E-65174830B6A6}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{3B0F691B-AD48-455E-AD65-B0F48C06A384}" = protocol=6 | dir=in | app=c:\program files\philips\wi-fi mediaconnect\wi-fi mediaconnect.exe |
"{3C120EF8-4FA9-4364-98D8-F2FFE69D26DC}" = protocol=6 | dir=in | app=c:\program files\tobit radio.fx\client\rfx-client.exe |
"{3DC5C6FD-EADF-4DB9-BE03-024F29D22802}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
"{3E4390D2-3C02-4700-B76F-15714D43B926}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{46E45C62-0EBC-429B-AC0E-376EDC19A674}" = protocol=6 | dir=out | app=system |
"{481A2FC3-5E63-4D62-886D-6AB2334DFFFF}" = dir=in | app=c:\program files\squeezebox\server\squeezesvr.exe |
"{4853D2D0-224D-4B05-81B8-ECE0650AE7A8}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{537720AB-4BCE-4D65-BE6B-325B1437FE53}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{62C7C2FF-497E-42AB-9D0A-7CE6D3CC5ADD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{6AC45BCF-DB87-49FB-940D-B08733EC722E}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{6FD3018D-3393-415F-B082-5F1DCC5E9F95}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{7574D030-90C0-4BE6-B8A6-E91E1829F2C3}" = protocol=17 | dir=in | app=c:\users\hans-günter\appdata\roaming\dropbox\bin\dropbox.exe |
"{7A08BCA9-A3B0-4A3C-81DF-4F8EE3D985C4}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{7D4FAB9E-2A61-482E-8FC2-CFBED3BC2923}" = protocol=17 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{806939A5-206D-4BA1-9D03-C5CC5621B840}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{8382F56D-7574-4DF6-A228-4E6C5044775E}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{90479E4C-F350-4802-9B63-28D8AA7CB685}" = protocol=6 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{96CB828A-A2CB-425A-BDF1-4ECF414018FF}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{9970EF89-74B7-4C32-8496-DB0C7C5FB009}" = protocol=17 | dir=in | app=c:\program files\tobit radio.fx\server\rfx-server.exe |
"{9BC55F11-17F9-45ED-9EF6-D46329D027D8}" = protocol=6 | dir=in | app=c:\users\hans-günter\appdata\roaming\dropbox\bin\dropbox.exe |
"{A1528E11-1838-4BE1-A59C-6D429DE14A08}" = protocol=17 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{AFF9AC0B-C9EE-43C7-BE56-75451577D3BC}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{B6E0CCAB-7BF7-4098-807B-10AD722B2C2E}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{BA7EF6CE-CE3E-46A7-BB84-FEAFA30ECDE1}" = protocol=17 | dir=in | app=c:\users\sabine\appdata\roaming\dropbox\bin\dropbox.exe |
"{BBAA90A9-4981-4B27-B06C-4C4686A56774}" = dir=in | app=c:\program files\itunes\itunes.exe |
"{D2B0BA0A-E2CF-41F0-AF75-5DBD3E0093F4}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{D3D716AD-E37C-4AF2-9F15-1AF0A3A6C85E}" = protocol=6 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{DE877ED9-300F-4F3C-837B-304998ACADAD}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{E2530034-5A03-4CE2-B992-0FB875C155DE}" = protocol=17 | dir=in | app=c:\program files\philips\wi-fi mediaconnect\wi-fi mediaconnect.exe |
"{EEF61AC1-5102-4CB7-8103-046C28F8590E}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |
"{F0FD7CB9-A684-46AF-94B0-926B85A942F2}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{F327E121-3ACF-4384-9620-880D04B323A8}" = protocol=17 | dir=in | app=c:\program files\tobit radio.fx\client\rfx-client.exe |
"{F7AE77FA-9626-427B-885A-C23321414C3D}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"TCP Query User{71D6FF3C-7B8D-48FE-810E-BEDEBF209ECC}C:\users\hans-günter\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=6 | dir=in | app=c:\users\hans-günter\appdata\roaming\dropbox\bin\dropbox.exe |
"TCP Query User{7D769601-E618-47C8-8F0D-7CA77BC053CC}C:\program files\philips\wi-fi mediaconnect\wi-fi mediaconnect.exe" = protocol=6 | dir=in | app=c:\program files\philips\wi-fi mediaconnect\wi-fi mediaconnect.exe |
"TCP Query User{DC0BC74E-78D4-4BC7-B744-D512A5C54B3A}C:\program files\google\google earth\client\googleearth.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe |
"TCP Query User{DE01E302-2802-41E6-97B6-DC1B3629DCCF}C:\program files\google\google earth\client\googleearth.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe |
"TCP Query User{FFB8E887-B249-4761-9A0D-EF9A4CB9774C}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{1F5AFEF3-8B38-4E65-876D-1E9F74C7EB67}C:\program files\google\google earth\client\googleearth.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe |
"UDP Query User{2E66FE35-2683-402F-B4FB-09F65279C62E}C:\users\hans-günter\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=17 | dir=in | app=c:\users\hans-günter\appdata\roaming\dropbox\bin\dropbox.exe |
"UDP Query User{766E8335-1D0B-4194-86C6-E44B1F1B5162}C:\program files\philips\wi-fi mediaconnect\wi-fi mediaconnect.exe" = protocol=17 | dir=in | app=c:\program files\philips\wi-fi mediaconnect\wi-fi mediaconnect.exe |
"UDP Query User{ED9DADC9-69C6-4DDC-9937-0872D2224C8F}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{F3AC67FB-B566-483D-A17B-56703D3A2709}C:\program files\google\google earth\client\googleearth.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"_{C0237AA4-1BFB-46EA-860D-7B0EB365CA13}" = CorelDRAW Essentials 4
"_{CF0ADC18-6D8F-4353-8EAA-DF45456B7853}" = CorelDRAW Essentials 4 - Windows Shell Extension
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"{071B843C-9A39-40B3-BB01-BBD6A8D2E1C5}" = lingDIALOG
"{07B62101-7EBD-434A-94B1-B38063BE5516}" = CorelDRAW Essentials 4 - PHOTO-PAINT
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID-Anmelde-Assistent
"{09298F26-A95C-31E2-9D95-2C60F586F075}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"{0E64B098-8018-4256-BA23-C316A43AD9B0}" = QuickTime
"{0ED4216F-3540-4D6B-8199-1C8DDEA3924B}" = CorelDRAW Essentials 4 - Lang DE
"{0F6F6876-6334-4977-B5DD-CFC12E193420}" = iTunes
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX890_series" = Canon MX890 series MP Drivers
"{1945A4B5-73B6-4DE9-99A3-05261B7FDED0}" = Shared C Run-time for x86
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
"{199ACA4F-8CAC-40FB-996B-C380DF69B71F}" = Langenscheidt Vokabeltrainer 6.0 Französisch
"{19AC095C-3520-4999-AA15-93B6D0248A50}" = CorelDRAW Essentials 4 - Content
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = Medion Home Cinema
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{235211CA-D0E3-4EC8-95D4-C024CE37537C}" = WISO Mein Geld 2012 Professional
"{26A24AE4-039D-4CA4-87B4-2F83216033FF}" = Java(TM) 6 Update 35
"{2BA722D1-48D1-406E-9123-8AE5431D63EF}" = Windows Live Fotogalerie
"{2BC21CD2-8053-406A-80F6-9AB61717B49D}" = ODF Add-in for Microsoft Office
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
"{34A9406E-1994-4C20-AC72-04CFA2B24545}" = CorelDRAW Essentials 4 - Lang EN
"{3576C335-958D-4D60-A812-F68F9A2796AF}" = CorelDRAW Essentials 4 - Lang IT
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3CDFEE23-66D2-4DB0-8269-12634E871725}" = Mindjet MindManager Pro 7
"{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel(R) Rapid Storage Technology
"{3E6F0CAD-EE38-42A5-9EEA-AE17A55BF2D4}" = Firebird SQL Server - MAGIX Edition
"{3EFEF049-23D4-4B46-8903-4592FEA51018}" = Windows Live Movie Maker
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
"{41E654A9-26D0-4EAC-854B-0FA824FFFABB}" = Windows Live Messenger
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{518F8DB2-65BA-40F7-B843-1F11F8F1B124}" = Vokabeltrainer-Update 6.0.16
"{51C7AD07-C3F6-4635-8E8A-231306D810FE}" = Cisco LEAP Module
"{5500BB35-1C21-4328-9F16-F894B860FADE}" = CorelDRAW Essentials 4 - Lang NL
"{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth
"{5FC68772-6D56-41C6-9DF1-24E868198AE6}" = Windows Live Call
"{5FF02438-DDE5-4D8E-8291-577CC1A2C014}" = AkkuLine Batterie-Tool
"{63EC2120-1742-4625-AA47-C6A8AEC9C64C}" = Apple Application Support
"{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}" = Cisco EAP-FAST Module
"{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel(R) Management Engine Components
"{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers
"{6AFCA4E1-9B78-3640-8F72-A7BF33448200}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{6C94A234-CA2C-4D3C-81E6-6AAA8069825D}" = Garmin WebUpdater
"{70B7A167-0B88-445D-A3EA-97C73AA88CAC}" = Windows Live Toolbar
"{710BF966-43C8-4216-A8EC-BC4E169FF7C1}" = MobileMe Control Panel
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{76618402-179D-4699-A66B-D351C59436BC}" = Windows Live Sync
"{76E852ED-1B06-4BC8-9D6A-625DB95FB7E5}" = CorelDRAW Essentials 4 - IPM - No VBA
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7D542452-84EB-47C0-97BA-735C523AB555}" = Garmin Training Center
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8CC68433-5837-4075-B81F-EA7E4F14CE60}" = iCloud
"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules
"{90110407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{9017CEAF-BE5A-4F73-8A0E-C87E26971E55}" = TomTom HOME
"{9043B9A0-9505-405B-8202-E7167A38A89C}" = CorelDRAW Essentials 4
"{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{96AE7E41-E34E-47D0-AC07-1091A8127911}" = Realtek USB 2.0 Card Reader
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D3D8C60-A55F-4fed-B2B9-173F09590E16}" = REALTEK Wireless LAN Driver
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA58346A-A5D7-4659-91D6-38D07345BDCF}" = Wi-Fi MediaConnect
"{ABD8B955-1C69-4AF3-949B-13CD587C175F}" = CorelDRAW Essentials 4 - Lang BR
"{AC76BA86-7AD7-1031-7B44-A95000000001}" = Adobe Reader 9.5.2 - Deutsch
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B9FA9F15-A1F3-4DB1-AD49-0B9351843FAA}" = CorelDRAW Essentials 4 - Draw
"{BA9319FE-BCEF-4C99-8039-F464648D046E}" = CorelDRAW Essentials 4 - Lang FR
"{BAC80EF3-E106-4AEA-8C57-F217F9BC7358}" = Microsoft SQL Server 2005 Compact Edition [DEU]
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C0237AA4-1BFB-46EA-860D-7B0EB365CA13}" = CorelDRAW Essentials 4 - ICA
"{C4D738F7-996A-4C81-B8FA-C4E26D767E41}" = Windows Live Mail
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = CyberLink LabelPrint
"{C6579A65-9CAE-4B31-8B6B-3306E0630A66}" = Apple Software Update
"{C682F3F0-00A6-4379-B083-4F3273624D7B}" = CorelDRAW Essentials 4 - Lang ES
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}" = PlayReady PC Runtime x86
"{CF0ADC18-6D8F-4353-8EAA-DF45456B7853}" = CorelDRAW Essentials 4 - Windows Shell Extension
"{D0846526-66DD-4DC9-A02C-98F9A2806812}" = Launch Manager V1.5.0.8
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D4DDFAA1-EC37-4529-AD5B-A433ADE68662}" = Apple Mobile Device Support
"{E0A4805D-280A-4DD7-9E74-3A5F85E302A1}" = Windows Live Writer
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E3D04529-6EDB-11D8-A372-0050BAE317E1}" = CyberLink PowerDVD Copy
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}" = Cisco PEAP Module
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Graphics Media Accelerator Driver
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F16841F6-5F0F-4DBE-B318-63CEB916F21D}" = CorelDRAW Essentials 4 - Filters
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{F8FF18EE-264A-43FD-B2F6-5EAD40798C2F}" = Windows Live Essentials
"10 Finger Test_is1" = 10 Finger Test 5.5
"49CF605F02C7954F4E139D18828DE298CD59217C" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"ALDI SÜD Mah Jong" = ALDI SÜD Mah Jong
"Amazon MP3-Downloader" = Amazon MP3-Downloader 1.0.17
"AnyDVD" = AnyDVD
"Ashampoo Burning Studio_is1" = Ashampoo Burning Studio
"Ashampoo Photo Commander_is1" = Ashampoo Photo Commander
"Ashampoo Snap_is1" = Ashampoo Snap
"Canon MX890 series Benutzerregistrierung" = Canon MX890 series Benutzerregistrierung
"Canon MX890 series On-screen Manual" = Canon MX890 series On-screen Manual
"Canon_IJ_Network_Scanner_Selector_EX" = Canon IJ Network Scanner Selector EX
"Canon_IJ_Network_UTILITY" = Canon IJ Network Tool
"CanonMyPrinter" = Canon My Printer
"CanonSolutionMenuEX" = Canon Solution Menu EX
"CloneDVD2" = CloneDVD2
"Easy-PhotoPrint EX" = Canon Easy-PhotoPrint EX
"Easy-WebPrint EX" = Canon Easy-WebPrint EX
"ElsterFormular für Privatanwender 12.2.1.6570p" = ElsterFormular-Update
"Free Download Manager_is1" = Free Download Manager 3.0
"Grammatiktrainer 6.0 Franzoesisch" = Langenscheidt Grammatiktrainer 6.0 Franzoesisch
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"InstallShield_{071B843C-9A39-40B3-BB01-BBD6A8D2E1C5}" = lingDIALOG
"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = Medion Home Cinema
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
"InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = CyberLink LabelPrint
"InstallShield_{E3D04529-6EDB-11D8-A372-0050BAE317E1}" = CyberLink PowerDVD Copy
"Kurs 6.0 Französisch" = Langenscheidt Kurs 6.0 Französisch
"Logitech Media Server_is1" = Logitech Media Server 7.7.2
"MEDION Fotos auf CD & DVD SE Sued D" = MEDION Fotos auf CD & DVD SE Sued
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Mozilla Firefox 12.0 (x86 de)" = Mozilla Firefox 12.0 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MP Navigator EX 5.1" = Canon MP Navigator EX 5.1
"MSC" = McAfee Internet Security Suite
"MSMONEYV70" = Microsoft Money 99
"Speed Dial Utility" = Canon Kurzwahlprogramm
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TeamSpeak 3 Client" = TeamSpeak 3 Client
"TrueCrypt" = TrueCrypt
"WEB.DE SmartDrive Manager" = WEB.DE SmartDrive Manager
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"WinLiveSuite_Wave3" = Windows Live Essentials
"WISO Mein Geld 2012 Professional" = WISO Mein Geld 2012 Professional
"X10Hardware" = X10 Hardware(TM)
========== HKEY_USERS Uninstall List ==========
[HKEY_USERS\S-1-5-21-3542620766-992799415-2828400377-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
========== HKEY_USERS Uninstall List ==========
[HKEY_USERS\S-1-5-21-3542620766-992799415-2828400377-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"TeamSpeak 3 Client" = TeamSpeak 3 Client
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 07.10.2012 16:37:01 | Computer Name = xxxLaptop | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 6038
Error - 07.10.2012 16:37:01 | Computer Name = xxxLaptop | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 6038
Error - 07.10.2012 16:37:02 | Computer Name = xxxLaptop | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
Error - 07.10.2012 16:37:02 | Computer Name =xxxLaptop | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 7036
Error - 07.10.2012 16:37:02 | Computer Name = xxxLaptop | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 7036
Error - 07.10.2012 16:37:03 | Computer Name = xxxLaptop | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
Error - 07.10.2012 16:37:03 | Computer Name = xxxsLaptop | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 8066
Error - 07.10.2012 16:37:03 | Computer Name = xxxLaptop | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 8066
Error - 08.10.2012 00:31:09 | Computer Name = xxxLaptop | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
Error - 08.10.2012 00:31:09 | Computer Name = xxxLaptop | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 1014
[ System Events ]
Error - 27.10.2012 04:06:01 | Computer Name = xxxLaptop | Source = Service Control Manager | ID = 7034
Description = Dienst "TomTomHOMEService" wurde unerwartet beendet. Dies ist bereits
1 Mal passiert.
Error - 27.10.2012 06:18:11 | Computer Name = xxxLaptop | Source = DCOM | ID = 10010
Description =
Error - 27.10.2012 16:21:16 | Computer Name = xxxLaptop | Source = DCOM | ID = 10010
Description =
Error - 28.10.2012 05:21:39 | Computer Name = xxxLaptop | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am ?28.?10.?2012 um 05:59:39 unerwartet heruntergefahren.
Error - 29.10.2012 01:49:10 | Computer Name = xxxLaptop | Source = DCOM | ID = 10010
Description =
Error - 29.10.2012 18:49:18 | Computer Name = xxxLaptop | Source = DCOM | ID = 10010
Description =
Error - 30.10.2012 09:12:07 | Computer Name = xxxLaptop | Source = DCOM | ID = 10010
Description =
Error - 30.10.2012 15:44:02 | Computer Name = xxxLaptop | Source = DCOM | ID = 10010
Description =
Error - 31.10.2012 13:44:44 | Computer Name = xxxLaptop | Source = Service Control Manager | ID = 7011
Description = Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung
von Dienst Netman erreicht.
Error - 31.10.2012 13:46:01 | Computer Name = xxxLaptop | Source = DCOM | ID = 10010
Description =
< End of report >
|
|
31.10.2012, 20:25
| #6 | |
| /// Malware-holic | Anruf von Bank wg. Citadel hi Combofix darf ausschließlich ausgeführt werden, wenn dies von einem Team Mitglied angewiesen wurde!Downloade dir bitte Combofix von einem dieser Downloadspiegel Link 1 Link 2 WICHTIG - Speichere Combofix auf deinem Desktop
Wenn Combofix fertig ist, wird es eine Logfile erstellen. Bitte poste die C:\Combofix.txt in deiner nächsten Antwort. Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten Zitat:
__________________ --> Anruf von Bank wg. Citadel |
|
31.10.2012, 20:48
| #7 |
| | Anruf von Bank wg. Citadel Hallo Marcus, ich hab jetzt das Mcafee deinstalliert, ich habe jetzt aber auch noch eine Windows Firewall entdeckt. Muss ich die auch deinstallieren? |
|
31.10.2012, 21:09
| #8 |
| /// Malware-holic | Anruf von Bank wg. Citadel du musst mcafee gar nicht deinstalieren, nur deaktivieren. wenn combofix dann noch ne meldung anzeigt, klicke auf ok
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
|
31.10.2012, 21:34
| #9 |
| | Anruf von Bank wg. Citadel Hi Markus, erstmal vielen Dank, das Du mir weiter hilfst, obwohl ich zu doof war, Deinen Namen richtig zu schreiben! Ich habe noch 2 Fragen: 1. Hatte ich einen Trojaner? 2. Welchen Virenscanner empfiehlst Du mir? Ich habe ja jetzt keinen mehr! Combofix Logfile: Code:
ATTFilter ComboFix 12-10-31.03 - xxx31.10.2012 21:11:57.1.4 - x86
ausgeführt von:: c:\users\xxx\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\xxx\4.0
c:\users\xxx\AppData\Local\Temp\pdk-xxx-3604\31638f63e39b38d3e250a9a57cb9d1c5\Cwd.dll
c:\users\xxx\AppData\Local\Temp\pdk-xxx-3604\32785c19dc6898fbbbf06f3b776edd08\Fcntl.dll
c:\users\xxx\AppData\Local\Temp\pdk-xxx-3604\3a7ccbf8181ee5a145227a6dfce3594c\WinError.dll
c:\users\Sabine\AppData\Local\Temp\pdk-Sabine-3604\4461f48e31bde5c56b31b973b773de09\List.dll
c:\users\Sabine\AppData\Local\Temp\pdk-Sabine-3604\5ffd05b2cbd58528e56519784ca9c869\Hostname.dll
c:\users\Sabine\AppData\Local\Temp\pdk-Sabine-3604\60ff464e01c2cd5526dbdad5a125081d\Dumper.dll
c:\users\Sabine\AppData\Local\Temp\pdk-Sabine-3604\7ef0d901bf4203fbcf7a0fff0e82aa5f\Encode.dll
c:\users\Sabine\AppData\Local\Temp\pdk-Sabine-3604\93e7e3d6030f426844228042348210cf\Service.dll
c:\users\Sabine\AppData\Local\Temp\pdk-Sabine-3604\bd5179a413bc0c4b82eedc22c6cab101\re.dll
c:\users\Sabine\AppData\Local\Temp\pdk-Sabine-3604\c5cce8d16a1bd48692b421dcf46d3396\Util.dll
c:\users\Sabine\AppData\Local\Temp\pdk-Sabine-3604\d10c2c06ba2044cccc247c4315f5c7d3\Process.dll
c:\users\Sabine\AppData\Local\Temp\pdk-Sabine-3604\d1e7c33431cd8713f2ce3582829a8b14\Socket.dll
c:\users\Sabine\AppData\Local\Temp\pdk-Sabine-3604\de446fdd1ae335c7d2b9e62bb8cdf765\B.dll
c:\users\Sabine\AppData\Local\Temp\pdk-Sabine-3604\df1ba73f49c38cbbc7a11c779c3506d2\OLE.dll
c:\users\Sabine\AppData\Local\Temp\pdk-Sabine-3604\e56c61f7248672819579325af3387035\POSIX.dll
c:\users\Sabine\AppData\Local\Temp\pdk-Sabine-3604\eaeabd54205de2f10c00aea80bbf0d83\Registry.dll
c:\users\Sabine\AppData\Local\Temp\pdk-Sabine-3604\eb138ef0e4282611dbf485a302784646\LibYAML.dll
c:\users\Sabine\AppData\Local\Temp\pdk-Sabine-3604\f233f63b6654362865c7577442edb9e3\Win32.dll
c:\users\Sabine\AppData\Local\Temp\pdk-Sabine-3604\perl514.dll
c:\users\TV\AppData\Roaming\.#
c:\users\TV\AppData\Roaming\.#\MBX@15EC@272740.###
c:\users\TV\AppData\Roaming\.#\MBX@15EC@272770.###
c:\users\TV\AppData\Roaming\.#\MBX@1640@772740.###
c:\users\TV\AppData\Roaming\.#\MBX@1640@772770.###
c:\users\TV\AppData\Roaming\.#\MBX@CD8@3D2740.###
c:\users\TV\AppData\Roaming\.#\MBX@CD8@3D2770.###
c:\users\TV\AppData\Roaming\.#\MBX@E8C@15A2740.###
c:\users\TV\AppData\Roaming\.#\MBX@E8C@15A2770.###
.
.
((((((((((((((((((((((( Dateien erstellt von 2012-09-28 bis 2012-10-31 ))))))))))))))))))))))))))))))
.
.
2012-10-31 20:19 . 2012-10-31 20:22 -------- d-----w- c:\users\Sabine\AppData\Local\temp
2012-10-31 20:19 . 2012-10-31 20:19 -------- d-----w- c:\users\TV\AppData\Local\temp
2012-10-31 20:19 . 2012-10-31 20:19 -------- d-----w- c:\users\xxx\AppData\Local\temp
2012-10-31 20:19 . 2012-10-31 20:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-10-31 20:19 . 2012-10-31 20:19 -------- d-----w- c:\users\Gast\AppData\Local\temp
2012-10-27 20:20 . 2012-10-27 20:20 -------- d-----w- c:\users\xxx\Neuer Fotodruck1.el6.Data
2012-10-27 17:09 . 2012-10-27 17:09 -------- d-----w- c:\users\xxx\Neuer Fotodruck.el6.Data
2012-10-27 08:52 . 2012-10-27 08:52 -------- d-----w- C:\updates
2012-10-27 08:51 . 2012-10-27 08:52 -------- d-----w- c:\programdata\Squeezebox
2012-10-27 08:51 . 2012-10-27 08:51 -------- d-----w- c:\program files\Squeezebox
2012-10-10 04:50 . 2012-06-02 04:36 1159680 ----a-w- c:\windows\system32\crypt32.dll
2012-10-10 04:50 . 2012-06-02 04:36 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-10-10 04:50 . 2012-06-02 04:36 103936 ----a-w- c:\windows\system32\cryptnet.dll
2012-10-10 04:49 . 2012-08-31 17:18 1211760 ----a-w- c:\windows\system32\drivers\ntfs.sys
2012-10-10 04:49 . 2012-08-10 23:56 542208 ----a-w- c:\windows\system32\kerberos.dll
2012-10-10 04:49 . 2012-08-30 17:12 3968880 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-10-10 04:49 . 2012-08-30 17:12 3914096 ----a-w- c:\windows\system32\ntoskrnl.exe
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-09 17:29 . 2012-04-06 06:01 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 17:29 . 2011-05-14 20:25 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-28 18:24 . 2012-06-27 18:54 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-08-28 18:24 . 2010-04-22 14:19 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-26 12:56 . 2012-08-26 12:56 121248 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2012-08-24 16:57 . 2012-09-22 05:58 981504 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 15:20 . 2012-09-22 05:58 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2012-08-22 17:16 . 2012-09-12 16:48 1292144 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-08-22 17:16 . 2012-09-12 16:48 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-08-22 17:16 . 2012-09-12 16:48 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2012-08-22 17:16 . 2012-09-12 16:48 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-08-21 20:12 . 2012-09-26 13:25 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
2012-08-21 11:01 . 2012-09-22 05:56 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-08-21 11:01 . 2010-06-27 13:10 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2012-05-06 16:11 . 2011-03-25 21:38 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 12:01 . 2011-04-30 07:58 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Sabine\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Sabine\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Sabine\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-04-06 8555040]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RtHDVBg.exe" [2010-04-06 694816]
"HotkeyApp"="c:\program files\Launch Manager\HotkeyApp.exe" [2009-12-14 200704]
"LMgrVolOSD"="c:\program files\Launch Manager\OSD.exe" [2009-12-11 348960]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2010-01-13 413696]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-12-11 1594664]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-11-02 103720]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
"MMReminderService"="c:\program files\Mindjet\MindManager 7\MMReminderService.exe" [2007-05-17 37392]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-27 59280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-01-10 142616]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-01-10 177432]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-01-10 177944]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2011-07-19 2567272]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2011-08-04 1637496]
"IJNetworkScannerSelectorEX"="c:\program files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe" [2011-07-25 468112]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-09 421776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [x]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\Common Files\MAGIX Services\Database\bin\fbserver.exe [x]
R3 gupdatem;Google Update-Dienst (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 netr28u;RT2870-USB-Drahtlos-LAN-Kartentreiber für Vista;c:\windows\system32\DRIVERS\netr28u.sys [x]
R3 NxpCap;CTX capture service;c:\windows\system32\DRIVERS\NxpCap.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\System32\Drivers\RtsUStor.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WisLMSvc;WisLMSvc;c:\program files\Launch Manager\WisLMSvc.exe [x]
S1 uiwbrdr;uiwbrdr;c:\windows\system32\DRIVERS\uiwbrdr.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\Common Files\MAGIX Services\Database\bin\FABS.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [x]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 IntcDAud;Intel(R) Display-Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [x]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
S3 WFMC_VAD;WFMCVAD (WDM);c:\windows\system32\DRIVERS\wfmcvad.sys [x]
S3 X10Hid;X10 Hid Device;c:\windows\System32\Drivers\x10hid.sys [x]
.
.
Inhalt des "geplante Tasks" Ordners
.
2012-10-31 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 17:29]
.
2012-10-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-30 08:05]
.
2012-10-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-30 08:05]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Alles mit FDM herunterladen - file://c:\program files\Free Download Manager\dlall.htm
IE: Auswahl mit FDM herunterladen - file://c:\program files\Free Download Manager\dlselected.htm
IE: Datei mit FDM herunterladen - file://c:\program files\Free Download Manager\dllink.htm
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Videos mit FDM herunterladen - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: {{0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-31/4
TCP: DhcpNameServer = 192.168.1.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
FF - ProfilePath - c:\users\Sabine\AppData\Roaming\Mozilla\Firefox\Profiles\9bngy188.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2012-09-05 21:43; {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
HKLM-Run-LMgrOSD - c:\program files\Launch Manager\OSDCtrl.exe
SafeBoot-BsScanner
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
.
- - - - - - - > 'Explorer.exe'(1132)
c:\users\Sabine\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\progra~1\COMMON~1\X10\Common\x10nets.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Zeit der Fertigstellung: 2012-10-31 21:26:24 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2012-10-31 20:26
.
Vor Suchlauf: 10 Verzeichnis(se), 39.367.495.680 Bytes frei
Nach Suchlauf: 15 Verzeichnis(se), 41.975.263.232 Bytes frei
.
- - End Of File - - 32F722EE954815E1A8BAD36C43253FB4
|
|
31.10.2012, 23:30
| #10 |
| /// Malware-holic | Anruf von Bank wg. Citadel öffne bitte computer, c: qoobox dort rechtsklick quarantain, mit winrar oder anderem archivirungsprogramm packen, und hier hochladen: Trojaner-Board Upload Channel melden, wenn fertig
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
|
01.11.2012, 05:40
| #11 |
| | Anruf von Bank wg. Citadel Hallo Markus, ist erledigt! |
|
01.11.2012, 12:20
| #12 |
| /// Malware-holic | Anruf von Bank wg. Citadel hi download tdss killer: http://www.trojaner-board.de/82358-t...entfernen.html Klicke auf Change parameters • Setze die Haken bei Verify driver digital signatures und Detect TDLFS file system • Klick auf OK und anschließend auf Start scan - bei funden erst mal immer skip wählen, log posten
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
|
01.11.2012, 19:47
| #13 |
| | Anruf von Bank wg. Citadel Hallo Markus, ich habe das gemacht, er hat 4 Sachen gefunden. Ich habe auf Skip gedrückt, er zeigt mir auch die Scan Results, das Fenster lässt sich aber nicht kopieren. Ich tippe es mal ab: Suspicious Firebirdserver MAGIXInstance ( UnsignedFile.Multi.Generic ) " uiwbrdr ( UnsignedFile.Multi.Generic ) " USBAAPL ( UnsignedFile.Multi.Generic ) " x10nets ( UnsignedFile.Multi.Generic ) Skipped by user Firebirdserver MAGIXInstance ( UnsignedFile.Multi.Generic ) " uiwbrdr ( UnsignedFile.Multi.Generic ) " USBAAPL ( UnsignedFile.Multi.Generic ) " x10nets ( UnsignedFile.Multi.Generic ) |
|
01.11.2012, 20:10
| #14 |
| /// Malware-holic | Anruf von Bank wg. Citadel hi computer, c: dort liegt eine tdsskiller-datum-version.txt, deren inhalt posten
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
|
01.11.2012, 20:24
| #15 |
| | Anruf von Bank wg. Citadel Da ist ein Problem, ich kann das nicht hier rein kopieren, weil zu groß. Und ich die Datei in c: lässt sich (warum auch immer) nicht zippen. |
|
| Themen zu Anruf von Bank wg. Citadel |
| andere, anderen, anruf, besonders, citadel, fertig, frage, gefunde, mcafee, merkt, namens, nichts, pcs, rechner, scan, scanner, sitze, troja, trojaner, virenscan, virenscanner, wirklich |
Linear-Darstellung
