Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung

Plagegeister aller Art und deren Bekämpfung: Computer von FBI Ransomware befallen

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 14.11.2012, 21:56   #1
MrsLazuli
 
Computer von FBI Ransomware befallen - Standard

Computer von FBI Ransomware befallen



Habe mir heute eine Ransomware eingefangen, eine vom FBI, die per Moneypak 200 Dollar fordert.
Avira hat ihn erkannt und in Quarantäne gesteckt. Allerdings ist bei 1 von 3 Benutzern aufgepoppt, dieser ist jetzt gesperrt, die andern 2 funktionieren aber noch ohne Einschränkung. Möchte die Ransomware natürlich so schnell wie möglich loswerden und habe mich im Internet umgeschaut, habe allerdings nichts Hilfreiches dazu gefunden. Viele Programme scheinen mir sehr dubios und unsicher. Aus diesem Grund hätte ich gerne Euren Rat zu diesem Thema, möchte da nichts falsch machen. Habe natürlich OTL durchlaufen lassen (siehe unten).
Würde mich über Hilfe sehr freuen.

OTL.txt:OTL Logfile:
Code:
ATTFilter
OTL logfile created on: 11/14/2012 9:22:13 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Verena\Documents
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
1.99 Gb Total Physical Memory | 0.70 Gb Available Physical Memory | 35.10% Memory free
4.21 Gb Paging File | 2.84 Gb Available in Paging File | 67.33% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 119.00 Gb Total Space | 53.60 Gb Free Space | 45.05% Space Free | Partition Type: NTFS
Drive D: | 30.04 Gb Total Space | 20.61 Gb Free Space | 68.60% Space Free | Partition Type: FAT32
 
Computer Name: ****** | User Name: ***** | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\Verena\Documents\OTL.exe (OldTimer Tools)
PRC - C:\Users\Verena\AppData\Local\Programs\Opera\opera.exe (Opera Software)
PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Users\Verena\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Programme\Avira\AntiVir Desktop\avshadow.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Programme\Real\RealPlayer\Update\realsched.exe (RealNetworks, Inc.)
PRC - C:\Programme\Windows Searchqu Toolbar\Datamngr\datamngrUI.exe (Bandoo Media, inc)
PRC - C:\Programme\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
PRC - C:\Programme\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac (ArcSoft Inc.)
PRC - C:\Programme\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)
PRC - C:\Programme\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)
PRC - C:\Programme\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
PRC - C:\Users\Verena\Documents\phonostar-Player\phonostarTimer.exe ()
PRC - C:\Programme\Windows Sidebar\sidebar.exe (Microsoft Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
PRC - C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
PRC - C:\Programme\Windows Defender\MSASCui.exe (Microsoft Corporation)
PRC - C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
PRC - C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
PRC - C:\Programme\Sceneo\Bonavista\Services\ODSBC\ODSBCApp.exe (ODSoft multimedia)
PRC - C:\Programme\Sceneo\Bonavista\Services\PVR\pvrservice.exe (Buhl Data Service GmbH)
PRC - C:\Programme\Medion\MEDIONbox\Program\GCS.exe (Empolis GmbH)
PRC - c:\Programme\Common Files\Gnab\Service\ServiceController.exe (Empolis GmbH)
PRC - C:\Programme\Canon\MyPrinter\BJMYPRT.EXE (CANON INC.)
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Programme\ScanSoft\OmniPageSE4\OpWareSE4.exe (Nuance Communications, Inc.)
PRC - C:\Programme\MSN Messenger\msnmsgr.exe (Microsoft Corporation)
PRC - C:\Programme\Common Files\InterVideo\RegMgr\iviRegMgr.exe (InterVideo)
PRC - C:\Programme\Launch Manager\OSD.exe (Wistron Corp.)
PRC - C:\Programme\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
PRC - C:\Programme\Common Files\Ahead\Lib\NMIndexStoreSvr.exe (Nero AG)
PRC - C:\Programme\Launch Manager\HotkeyApp.exe (Wistron)
PRC - C:\Programme\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
PRC - C:\Programme\Launch Manager\WisLMSvc.exe (Wistron Corp.)
PRC - C:\Programme\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
PRC - C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Programme\Launch Manager\WButton.exe ()
PRC - C:\Programme\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (Ulead Systems, Inc.)
PRC - C:\Programme\Common Files\microsoft shared\Works Shared\WkCalRem.exe (Microsoft® Corporation)
PRC - C:\Programme\Launch Manager\LaunchAp.exe ()
PRC - C:\Programme\Common Files\microsoft shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Windows\System32\Macromed\Flash\NPSWF32_11_4_402_287.dll ()
MOD - C:\Programme\OpenOffice.org 3\program\libxml2.dll ()
MOD - C:\Users\Verena\Documents\phonostar-Player\phonostarTimer.exe ()
MOD - C:\Users\Verena\Documents\phonostar-Player\QtCore4.dll ()
MOD - C:\Users\Verena\Documents\phonostar-Player\plugins\sqldrivers\qsqlite4.dll ()
MOD - C:\Users\Verena\Documents\phonostar-Player\QtSql4.dll ()
MOD - C:\Users\Verena\Documents\phonostar-Player\QtGui4.dll ()
MOD - C:\Programme\ArcSoft\PhotoImpression 5\Share\PIHook.dll ()
MOD - C:\Windows\System32\igfxTMM.dll ()
MOD - C:\Programme\Motorola\SMSERIAL\sm56ita.dll ()
MOD - C:\Programme\Motorola\SMSERIAL\sm56esp.dll ()
MOD - C:\Programme\Motorola\SMSERIAL\sm56brz.dll ()
MOD - C:\Programme\Motorola\SMSERIAL\sm56kor.dll ()
MOD - C:\Programme\Motorola\SMSERIAL\sm56ger.dll ()
MOD - C:\Programme\Motorola\SMSERIAL\sm56fra.dll ()
MOD - C:\Programme\Motorola\SMSERIAL\sm56dnk.dll ()
MOD - C:\Programme\Motorola\SMSERIAL\sm56jpn.dll ()
MOD - C:\Programme\Motorola\SMSERIAL\sm56cht.dll ()
MOD - C:\Programme\Motorola\SMSERIAL\sm56chs.dll ()
MOD - C:\Programme\Launch Manager\WButton.exe ()
MOD - C:\Programme\Launch Manager\LaunchAp.exe ()
 
 
========== Services (SafeList) ==========
 
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (AntiVirService) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
SRV - (AntiVirSchedulerService) -- C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
SRV - (odserv) -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ACDaemon) -- C:\Programme\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
SRV - (Microsoft Office Groove Audit Service) -- C:\Programme\Microsoft Office\Office12\GrooveAuditService.exe (Microsoft Corporation)
SRV - (Extensions Updates Service) -- C:\Programme\Extensions for Windows\Extensions\Updater\ExtensionsUpdatesService.exe (Extensoft)
SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (WMPNetworkSvc) -- C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
SRV - (srvcPVR) -- C:\Programme\Sceneo\Bonavista\Services\PVR\pvrservice.exe (Buhl Data Service GmbH)
SRV - (GnabService) -- c:\Programme\Common Files\Gnab\Service\ServiceController.exe (Empolis GmbH)
SRV - (usnjsvc) -- C:\Programme\MSN Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (IviRegMgr) -- C:\Programme\Common Files\InterVideo\RegMgr\iviRegMgr.exe (InterVideo)
SRV - (WisLMSvc) -- C:\Programme\Launch Manager\WisLMSvc.exe (Wistron Corp.)
SRV - (IAANTMON) -- C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
SRV - (ose) -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (UleadBurningHelper) -- C:\Programme\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (Ulead Systems, Inc.)
SRV - (FirebirdServerMAGIXInstance) -- C:\Programme\ALDI Foto Service Nord\Common\Database\bin\fbserver.exe (MAGIX®)
SRV - (MDM) -- C:\Programme\Common Files\microsoft shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found
DRV - (mailKmd) --  File not found
DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found
DRV - (blbdrive) -- C:\Windows\system32\drivers\blbdrive.sys File not found
DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH)
DRV - (avkmgr) -- C:\Windows\System32\drivers\avkmgr.sys (Avira GmbH)
DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (RMCAST) -- C:\Windows\System32\drivers\rmcast.sys (Microsoft Corporation)
DRV - (RTL8187B) -- C:\Windows\System32\drivers\rtl8187B.sys (Realtek Semiconductor Corporation                           )
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation                                            )
DRV - (SNP2UVC) -- C:\Windows\System32\drivers\snp2uvc.sys ()
DRV - (StMp3Rec) -- C:\Windows\System32\drivers\StMp3Rec.sys (Generic)
DRV - (smserial) -- C:\Windows\System32\drivers\smserial.sys (Motorola Inc.)
DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)
DRV - (rimsptsk) -- C:\Windows\System32\drivers\rimsptsk.sys (REDC)
DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC)
DRV - (Afc) -- C:\Windows\System32\drivers\afc.sys (Arcsoft, Inc.)
DRV - (R300) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (Hotkey) -- C:\Windows\System32\drivers\HOTKEY.sys ()
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.aldi.com
IE - HKLM\..\URLSearchHook: {192a6019-26d2-4611-aead-07cd7733b146} - C:\Programme\Stardoll\prxtbStar.dll (Conduit Ltd.)
IE - HKLM\..\URLSearchHook: {cd90bf73-20f6-44ef-993d-bb920303bd2e} - SOFTWARE\Classes\CLSID\{cd90bf73-20f6-44ef-993d-bb920303bd2e}\InprocServer32 File not found
IE - HKLM\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2414}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2414}: "URL" = hxxp://www.searchqu.com//web?src=ieb&appid=0&systemid=414&sr=0&q={searchTerms}
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2653012
 
 
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\.DEFAULT\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-18\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com/ie
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.google.com/ie
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.searchqu.com/414
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = hxxp://www.google.com/ie
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = hxxp://www.google.com/ie
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\..\URLSearchHook:  - No CLSID value found
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\..\URLSearchHook: {192a6019-26d2-4611-aead-07cd7733b146} - C:\Programme\Stardoll\prxtbStar.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\..\URLSearchHook: {cd90bf73-20f6-44ef-993d-bb920303bd2e} - SOFTWARE\Classes\CLSID\{cd90bf73-20f6-44ef-993d-bb920303bd2e}\InprocServer32 File not found
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\..\URLSearchHook: {ff19b72a-36ed-4066-8865-a580ae938cce} - No CLSID value found
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2414}
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\..\SearchScopes\{5AE06BBB-38EA-460B-A226-733EBD56D6E9}: "URL" = https://www.xing.com/app/search/?op=universal&ref=os&universal={searchTerms}
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\..\SearchScopes\{6552C7DD-90A4-4387-B795-F8F96747DE19}: "URL" = hxxp://www.icq.com/search/results.php?q={searchTerms}&ch_id=osd
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7MEDA_de
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2414}: "URL" = hxxp://www.searchqu.com//web?src=ieb&appid=0&systemid=414&sr=0&q={searchTerms}
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2653012
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.aldi.com
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.stardoll.com/
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1005\..\SearchScopes,DefaultScope = {B0616C55-6A9F-4945-932A-6190BB21A21F}
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1005\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1005\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = 
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1005\..\SearchScopes\{B0616C55-6A9F-4945-932A-6190BB21A21F}: "URL" = hxxp://www.google.de/search?q={searchTerms}&rlz=1I7MEDA_de
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 129.241.88.65:80
 
========== FireFox ==========
 
FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.order.1: "Google"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "hxxp://www.searchqu.com/414"
FF - prefs.js..extensions.enabledItems: {ACAA314B-EEBA-48e4-AD47-84E31C44796C}:1.0.1
FF - prefs.js..extensions.enabledItems: gutscheinmieze@synatix-gmbh.de:1.03
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {1FD91A9C-410C-4090-BBCC-55D3450EF433}:1.0
FF - prefs.js..extensions.enabledItems: {99079a25-328f-4bd4-be04-00955acaa0a7}:4.3.1.00
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:14.0.3
FF - prefs.js..keyword.URL: "hxxp://www.finduny.com?client=mozilla-firefox&cd=UTF-8&search=1&q="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
 
FF - user.js..browser.search.selectedEngine: "Google"
FF - user.js..browser.search.order.1: "Google"
FF - user.js..browser.search.defaultenginename: "Google"
FF - user.js..keyword.URL: "hxxp://www.finduny.com?client=mozilla-firefox&cd=UTF-8&search=1&q="
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_4_402_287.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0:  File not found
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.666: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.666: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.666: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.666: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.666: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=:  File not found
FF - HKLM\Software\MozillaPlugins\@soe.sony.com/installer,version=1.0.3: C:\PROGRA~1\SONYON~1\npsoe.dll ()
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@virtools.com/3DviaPlayer: C:\Program Files\Virtools\3D Life Player\npvirtools.dll (Dassault Systèmes)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/01/25 20:13:43 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012/05/12 13:44:06 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock 2.5.2\extensions\\Components: C:\Program Files\Flock\components [2009/09/03 15:41:52 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock 2.5.2\extensions\\Plugins: C:\Program Files\Flock\plugins [2012/09/24 20:45:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/08/31 16:04:20 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/09/24 20:45:04 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012/05/12 13:44:06 | 000,000,000 | ---D | M]
 
[2011/09/01 15:17:54 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ursula Gnas\AppData\Roaming\mozilla\Extensions
[2010/02/01 13:37:44 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ursula Gnas\AppData\Roaming\mozilla\Extensions\mozswing@mozswing.org
[2011/11/24 19:35:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ursula Gnas\AppData\Roaming\mozilla\Firefox\Profiles\qxrfus66.default\extensions
[2011/01/05 15:03:44 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Ursula Gnas\AppData\Roaming\mozilla\Firefox\Profiles\qxrfus66.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/09/01 15:17:25 | 000,000,000 | ---D | M] (Searchqu Toolbar) -- C:\Users\Ursula Gnas\AppData\Roaming\mozilla\Firefox\Profiles\qxrfus66.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}
[2010/07/05 14:52:31 | 000,000,000 | ---D | M] ("Free YouTube Download (Free Studio) Menu") -- C:\Users\Ursula Gnas\AppData\Roaming\mozilla\Firefox\Profiles\qxrfus66.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
[2011/03/08 18:53:05 | 000,000,000 | ---D | M] (Gutscheinmieze) -- C:\Users\Ursula Gnas\AppData\Roaming\mozilla\Firefox\Profiles\qxrfus66.default\extensions\gutscheinmieze@synatix-gmbh.de
[2011/07/16 20:30:58 | 000,000,961 | ---- | M] () -- C:\Users\Ursula Gnas\AppData\Roaming\mozilla\firefox\profiles\qxrfus66.default\searchplugins\icqplugin.xml
[2011/09/01 15:16:52 | 000,002,503 | ---- | M] () -- C:\Users\Ursula Gnas\AppData\Roaming\mozilla\firefox\profiles\qxrfus66.default\searchplugins\SearchResults.xml
[2012/02/03 18:55:22 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions
[2009/03/23 17:49:54 | 000,000,000 | ---D | M] ("ICQ Toolbar") -- C:\Programme\Mozilla Firefox\extensions\{800b5000-a755-47e1-992b-48a1c1357f07}
[2010/11/05 16:37:28 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2012/02/03 18:55:22 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}
[2008/10/20 18:40:32 | 000,000,000 | ---D | M] (Mozilla Firefox distributed by RealNetworks) -- C:\Programme\Mozilla Firefox\extensions\realplayer@partners.mozilla.com
[2009/01/17 12:21:28 | 000,000,000 | ---D | M] (Java Console) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2010/11/05 16:37:28 | 000,000,000 | ---D | M] (Java Console) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/09/01 15:17:54 | 000,000,000 | ---D | M] (DataMngr) -- C:\PROGRAM FILES\WINDOWS SEARCHQU TOOLBAR\DATAMNGR\FIREFOXEXTENSION
[2012/01/25 20:13:43 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\PROGRAMDATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT
[2011/11/10 05:54:13 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/01/25 11:55:14 | 000,644,096 | ---- | M] (Synatix GmbH) -- C:\Program Files\mozilla firefox\plugins\npmieze.dll
[2010/01/20 21:00:54 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2010/01/20 21:00:54 | 000,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2011/03/08 18:53:06 | 000,000,140 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\Google.src
[2010/01/20 21:00:54 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2011/09/01 15:16:52 | 000,002,503 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\SearchResults.xml
[2010/01/20 21:00:54 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2010/01/20 21:00:55 | 000,000,801 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2006/09/18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Stardoll Toolbar) - {192a6019-26d2-4611-aead-07cd7733b146} - C:\Programme\Stardoll\prxtbStar.dll (Conduit Ltd.)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Programme\Windows Searchqu Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
O2 - BHO: (Loader Class) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Programme\Windows Searchqu Toolbar\Datamngr\BrowserConnection.dll (Bandoo Media, inc)
O2 - BHO: (Veoh Web Player Toolbar) - {cd90bf73-20f6-44ef-993d-bb920303bd2e} - C:\Program Files\Veoh_Web_Player\prxtbVeoh.dll File not found
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Programme\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Stardoll Toolbar) - {192a6019-26d2-4611-aead-07cd7733b146} - C:\Programme\Stardoll\prxtbStar.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Programme\Windows Searchqu Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
O3 - HKLM\..\Toolbar: (Veoh Web Player Toolbar) - {cd90bf73-20f6-44ef-993d-bb920303bd2e} - C:\Program Files\Veoh_Web_Player\prxtbVeoh.dll File not found
O3 - HKLM\..\Toolbar: (Gutscheinmieze) - {DFEFCDEE-CF1A-4FC8-88AD-48514E463B27} - Gutscheinmieze\toolbar.dll File not found
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\..\Toolbar\WebBrowser: (Stardoll Toolbar) - {192A6019-26D2-4611-AEAD-07CD7733B146} - C:\Programme\Stardoll\prxtbStar.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\..\Toolbar\WebBrowser: (Veoh Web Player Toolbar) - {CD90BF73-20F6-44EF-993D-BB920303BD2E} - C:\Program Files\Veoh_Web_Player\prxtbVeoh.dll File not found
O3 - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\..\Toolbar\WebBrowser: (Gutscheinmieze) - {DFEFCDEE-CF1A-4FC8-88AD-48514E463B27} - Gutscheinmieze\toolbar.dll File not found
O3 - HKU\S-1-5-21-2422886476-3853793481-2147584669-1005\..\Toolbar\WebBrowser: (Stardoll Toolbar) - {192A6019-26D2-4611-AEAD-07CD7733B146} - C:\Programme\Stardoll\prxtbStar.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-2422886476-3853793481-2147584669-1005\..\Toolbar\WebBrowser: (Veoh Web Player Toolbar) - {CD90BF73-20F6-44EF-993D-BB920303BD2E} - C:\Program Files\Veoh_Web_Player\prxtbVeoh.dll File not found
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Programme\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe" File not found
O4 - HKLM..\Run: [DATAMNGR] C:\Programme\Windows Searchqu Toolbar\Datamngr\datamngrUI.exe (Bandoo Media, inc)
O4 - HKLM..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe (Wistron)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe ()
O4 - HKLM..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSD.exe (Wistron Corp.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Programme\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [OpwareSE4] C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SMSERIAL] C:\Programme\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Real\RealPlayer\Update\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [toolbar_eula_launcher] C:\Programme\GoogleEULA\EULALauncher.exe ( )
O4 - HKLM..\Run: [TVBroadcast] C:\Programme\Sceneo\Bonavista\Services\ODSBC\ODSBCApp.exe (ODSoft multimedia)
O4 - HKLM..\Run: [UVS10 Preload] C:\Programme\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe (Ulead Systems, Inc.)
O4 - HKLM..\Run: [Wbutton] C:\Program Files\Launch Manager\Wbutton.exe ()
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003..\Run: [Naugzue] "C:\Users\Ursula Gnas\AppData\Roaming\Anad\xati.exe" File not found
O4 - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" File not found
O4 - HKU\S-1-5-21-2422886476-3853793481-2147584669-1005..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKU\S-1-5-21-2422886476-3853793481-2147584669-1005..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe" File not found
O4 - HKU\S-1-5-21-2422886476-3853793481-2147584669-1005..\Run: [phonostarTimer] C:\Users\Verena\Documents\phonostar-Player\phonostarTimer.exe ()
O4 - HKU\S-1-5-21-2422886476-3853793481-2147584669-1005..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" File not found
O4 - HKU\S-1-5-21-2422886476-3853793481-2147584669-1005..\RunOnce: [Shockwave Updater] C:\Windows\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; GTB6.6; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C)" -"hxxp://www.neopets.com/games/dgs/play_shockwave.phtml?va=&game_id=356&nc_referer=&age=1&hiscore=208&sp=0&questionSet=&r=3298294&&width=480&height=460&quality=high" File not found
O4 - Startup: C:\Users\Bernhard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk = C:\Programme\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Users\Ursula Gnas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk = C:\Programme\LimeWire\LimeWire.exe (Lime Wire, LLC)
O4 - Startup: C:\Users\Ursula Gnas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O4 - Startup: C:\Users\Ursula Gnas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk = C:\Programme\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Users\Verena\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk =  File not found
O4 - Startup: C:\Users\Verena\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O4 - Startup: C:\Users\Verena\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk = C:\Programme\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Users\Verena\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wkcalrem.LNK = C:\Programme\Common Files\microsoft shared\Works Shared\WkCalRem.exe (Microsoft® Corporation)
O7 - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O7 - HKU\S-1-5-21-2422886476-3853793481-2147584669-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2422886476-3853793481-2147584669-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKU\S-1-5-21-2422886476-3853793481-2147584669-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Free YouTube Download - C:\Users\Ursula Gnas\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm ()
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html File not found
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - C:\Programme\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: eBay - Der weltweite Online-Marktplatz - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-1170-17534-22/4 File not found
O9 - Extra 'Tools' menuitem : eBay - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-1170-17534-22/4 File not found
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {33704B0F-9EB7-434B-B752-EA6CFFB87423} hxxp://ferrets4you.viewnetcam.com/JpegInst.cab (pmjpegaudio Class)
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} hxxp://static.pe.schuelervz.net/photouploader/ImageUploader5.cab?nocache=1222615440 (Image Uploader Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183949065925 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe (Virtools WebPlayer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{310825A3-322D-4107-AFC5-1E187FC18390}: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{CCD213F1-878A-492A-B886-CEF093D5CD23}: DhcpNameServer = 192.168.178.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Common Files\microsoft shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\WI9130~1\Datamngr\datamngr.dll) - C:\Programme\Windows Searchqu Toolbar\Datamngr\datamngr.dll (Bandoo Media, inc)
O20 - AppInit_DLLs: (C:\PROGRA~1\WI9130~1\Datamngr\IEBHO.dll) - C:\Programme\Windows Searchqu Toolbar\Datamngr\IEBHO.dll (Bandoo Media, inc)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Ursula Gnas\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg
O24 - Desktop BackupWallPaper: C:\Users\Ursula Gnas\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - Unable to obtain root file information for disk D:\
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012/11/03 23:11:06 | 000,000,000 | ---D | C] -- C:\Users\Ursula Gnas\Documents\RL Magazin
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2012/11/14 21:27:02 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/11/14 21:17:42 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/11/14 21:17:42 | 000,000,400 | ---- | M] () -- C:\Windows\tasks\RNUpgradeHelperLogonPrompt_Ursula Gnas.job
[2012/11/14 21:03:07 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/11/14 20:34:58 | 000,638,998 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2012/11/14 20:34:58 | 000,130,918 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2012/11/14 20:34:58 | 000,108,010 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/11/14 20:34:58 | 000,004,892 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/11/14 20:30:27 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/11/14 20:30:27 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/11/14 20:30:15 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/11/14 20:30:09 | 2137,186,304 | -HS- | M] () -- C:\hiberfil.sys
[2012/11/14 12:52:05 | 000,000,394 | ---- | M] () -- C:\Windows\tasks\ReclaimerUpdateFiles_Ursula Gnas.job
[2012/11/10 13:28:38 | 000,197,375 | ---- | M] () -- C:\Windows\hpwins27.dat
[2012/11/08 15:45:59 | 000,000,390 | ---- | M] () -- C:\Windows\tasks\ReclaimerUpdateXML_Ursula Gnas.job
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2012/10/16 14:44:03 | 000,000,400 | ---- | C] () -- C:\Windows\tasks\RNUpgradeHelperLogonPrompt_Ursula Gnas.job
[2012/10/16 14:44:02 | 000,000,394 | ---- | C] () -- C:\Windows\tasks\ReclaimerUpdateFiles_Ursula Gnas.job
[2012/10/16 14:44:01 | 000,000,390 | ---- | C] () -- C:\Windows\tasks\ReclaimerUpdateXML_Ursula Gnas.job
[2012/07/07 22:34:01 | 002,043,854 | ---- | C] () -- C:\Users\Ursula Gnas\ALMASED_Planfigur_Fasten.pdf
[2012/06/08 11:06:24 | 000,820,340 | ---- | C] () -- C:\Users\Ursula Gnas\Prinzessinenbenimmabzeichen.pdf
[2012/06/08 11:00:53 | 003,343,241 | ---- | C] () -- C:\Users\Ursula Gnas\Prinzessinen Akademie.pdf
[2012/05/12 13:24:02 | 000,197,375 | ---- | C] () -- C:\Windows\hpwins27.dat
[2012/04/29 19:47:19 | 000,364,403 | ---- | C] () -- C:\Users\Ursula Gnas\Karte Lauterbach.mht
[2012/04/29 19:45:01 | 000,603,285 | ---- | C] () -- C:\Users\Ursula Gnas\Extratour_Lauterbach.pdf
[2012/04/17 20:24:06 | 000,031,325 | ---- | C] () -- C:\Users\Ursula Gnas\Anmeldung_Auftrag DP11645686 - Kunde_Gnas,  UrsulaBerlin.eml
[2011/08/04 20:13:25 | 000,073,163 | ---- | C] () -- C:\Users\Ursula Gnas\Haushaltsplan.pdf
[2011/05/24 06:57:46 | 000,087,074 | ---- | C] () -- C:\Users\Ursula Gnas\Marburg - Stadtplan Sehenswr.._1.pdf
[2011/05/06 20:07:43 | 000,279,986 | ---- | C] () -- C:\Users\Ursula Gnas\991136764.pdf
[2011/04/29 19:51:17 | 000,499,697 | ---- | C] () -- C:\Users\Ursula Gnas\Prospekt_Wanderweg.pdf
[2011/04/29 12:37:48 | 001,643,688 | ---- | C] () -- C:\Users\Ursula Gnas\1188300022_wandern.pdf
[2011/03/04 22:01:32 | 001,521,450 | ---- | C] () -- C:\Users\Ursula Gnas\Traumeel.mht
[2010/11/25 10:53:35 | 000,044,285 | ---- | C] () -- C:\Users\Ursula Gnas\TKS-9c Kontaktdaten.pdf
[2010/10/16 18:51:22 | 000,342,925 | ---- | C] () -- C:\Users\Ursula Gnas\Biologika bei pA.pdf
[2010/07/31 21:32:14 | 000,439,940 | ---- | C] () -- C:\Users\Ursula Gnas\BewegungArthritis.pdf
[2010/03/11 12:29:02 | 000,255,448 | ---- | C] () -- C:\Users\Ursula Gnas\Praxisverlegung pt Journal.pdf
[2010/03/11 12:16:19 | 000,032,724 | ---- | C] () -- C:\Users\Ursula Gnas\Verlegung des Vertragsarztsitz.pdf
[2010/01/24 17:49:19 | 000,001,182 | ---- | C] () -- C:\Users\Ursula Gnas\aristoteles.htm
[2010/01/24 17:49:05 | 000,013,521 | ---- | C] () -- C:\Users\Ursula Gnas\abel2.jpeg
[2010/01/07 20:26:47 | 000,861,282 | ---- | C] () -- C:\Users\Ursula Gnas\Nachbesetzung Psychologe von Arzt.pdf
[2009/12/29 20:10:27 | 000,039,123 | ---- | C] () -- C:\Users\Ursula Gnas\Aktuell EI.jpg
[2009/12/25 10:10:50 | 000,000,008 | ---- | C] () -- C:\ProgramData\sysReserve.ini
[2009/12/06 20:41:35 | 000,118,023 | ---- | C] () -- C:\Users\Ursula Gnas\Ausschneiden.jpg
[2009/09/10 20:29:33 | 000,093,978 | ---- | C] () -- C:\Users\Ursula Gnas\04-109 PA und EI.rtf
[2009/09/03 19:58:11 | 000,165,949 | ---- | C] () -- C:\Users\Ursula Gnas\Burnout.pdf
[2009/09/02 10:49:27 | 001,091,825 | ---- | C] () -- C:\Users\Ursula Gnas\Sucht-am-Arbeitsplatz.pdf
[2009/09/02 10:24:45 | 000,034,425 | ---- | C] () -- C:\Users\Ursula Gnas\Sucht Rost.mht
[2009/09/02 08:53:25 | 000,188,064 | ---- | C] () -- C:\Users\Ursula Gnas\Lohmer_Kap.9.pdf
[2009/09/02 08:48:44 | 000,660,532 | ---- | C] () -- C:\Users\Ursula Gnas\organisationsberatung Lernen im Team.pdf
[2009/09/02 08:47:46 | 000,185,960 | ---- | C] () -- C:\Users\Ursula Gnas\Das ubw in Organisationen.pdf
[2009/09/02 08:33:55 | 000,100,884 | ---- | C] () -- C:\Users\Ursula Gnas\Lehrgang_LCO_WPAk__2010_11.pdf
[2009/09/02 08:12:45 | 000,129,339 | ---- | C] () -- C:\Users\Ursula Gnas\Flyer-Leitungscoaching-2009.pdf
[2009/09/02 07:25:56 | 000,051,526 | ---- | C] () -- C:\Users\Ursula Gnas\stress_vermeiden[1].pdf
[2009/09/02 07:24:46 | 000,300,123 | ---- | C] () -- C:\Users\Ursula Gnas\3_89749_372_1_i[1] Stressm Inh..pdf
[2009/09/02 07:17:29 | 000,229,267 | ---- | C] () -- C:\Users\Ursula Gnas\3_89749_354_3_i[1] Zeit Inhv..pdf
[2009/09/02 07:15:11 | 000,070,305 | ---- | C] () -- C:\Users\Ursula Gnas\978_3_89749_647_7_k[1] Selbstman.pdf
[2009/09/02 07:08:55 | 000,126,055 | ---- | C] () -- C:\Users\Ursula Gnas\3_89749_354_3_k[1] Zeitm.pdf
[2009/07/05 14:30:57 | 000,004,904 | ---- | C] () -- C:\ProgramData\ypkpiykb.yyr
[2007/11/03 18:23:04 | 000,020,992 | ---- | C] () -- C:\Users\Ursula Gnas\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/09/08 12:52:31 | 000,000,680 | RHS- | C] () -- C:\Users\Ursula Gnas\ntuser.pol
[2007/09/06 18:42:17 | 000,005,224 | ---- | C] () -- C:\Users\Ursula Gnas\AppData\Roaming\wklnhst.dat
[2007/09/05 16:11:28 | 000,000,099 | ---- | C] () -- C:\Users\Ursula Gnas\AppData\Local\fusioncache.dat
 
========== ZeroAccess Check ==========
 
[2006/11/02 13:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 18:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 07:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 07:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== LOP Check ==========
 
[2007/11/04 15:51:57 | 000,000,000 | ---D | M] -- C:\Users\Bernhard\AppData\Roaming\.pknowledge
[2012/11/14 20:51:42 | 000,000,000 | -HSD | M] -- C:\Users\Bernhard\AppData\Roaming\159485
[2007/09/15 14:04:30 | 000,000,000 | ---D | M] -- C:\Users\Bernhard\AppData\Roaming\BullGuard
[2011/10/09 16:42:54 | 000,000,000 | ---D | M] -- C:\Users\Bernhard\AppData\Roaming\Canon
[2007/11/04 15:41:38 | 000,000,000 | ---D | M] -- C:\Users\Bernhard\AppData\Roaming\DataDesign
[2012/11/14 20:50:46 | 000,000,000 | ---D | M] -- C:\Users\Bernhard\AppData\Roaming\Eniz
[2009/03/09 18:59:26 | 000,000,000 | ---D | M] -- C:\Users\Bernhard\AppData\Roaming\ICQ
[2011/04/17 09:26:28 | 000,000,000 | ---D | M] -- C:\Users\Bernhard\AppData\Roaming\InterVideo
[2008/08/25 19:34:48 | 000,000,000 | ---D | M] -- C:\Users\Bernhard\AppData\Roaming\NewSoft
[2012/11/14 18:14:01 | 000,000,000 | ---D | M] -- C:\Users\Bernhard\AppData\Roaming\Ogemqa
[2012/03/08 17:46:54 | 000,000,000 | ---D | M] -- C:\Users\Bernhard\AppData\Roaming\OpenOffice.org
[2011/05/12 19:48:06 | 000,000,000 | ---D | M] -- C:\Users\Bernhard\AppData\Roaming\Opera
[2012/11/14 18:14:01 | 000,000,000 | ---D | M] -- C:\Users\Bernhard\AppData\Roaming\Owuf
[2008/06/24 16:48:57 | 000,000,000 | ---D | M] -- C:\Users\Bernhard\AppData\Roaming\Sonavis
[2007/11/04 15:58:13 | 000,000,000 | ---D | M] -- C:\Users\Bernhard\AppData\Roaming\Template
[2007/09/08 12:57:04 | 000,000,000 | ---D | M] -- C:\Users\Bernhard\AppData\Roaming\Ulead Systems
[2012/06/27 16:10:20 | 000,000,000 | ---D | M] -- C:\Users\Ursula Gnas\AppData\Roaming\.minecraft
[2007/12/16 17:59:49 | 000,000,000 | ---D | M] -- C:\Users\Ursula Gnas\AppData\Roaming\.pknowledge
[2012/09/26 10:48:05 | 000,000,000 | ---D | M] -- C:\Users\Ursula Gnas\AppData\Roaming\Anad
[2010/01/08 13:50:33 | 000,000,000 | ---D | M] -- C:\Users\Ursula Gnas\AppData\Roaming\Artisteer
[2011/08/24 12:36:18 | 000,000,000 | ---D | M] -- C:\Users\Ursula Gnas\AppData\Roaming\Canon
[2009/05/15 18:30:45 | 000,000,000 | ---D | M] -- C:\Users\Ursula Gnas\AppData\Roaming\CoSoSys
[2011/09/01 15:28:12 | 000,000,000 | ---D | M] -- C:\Users\Ursula Gnas\AppData\Roaming\DVDVideoSoft
[2011/04/20 15:38:09 | 000,000,000 | ---D | M] -- C:\Users\Ursula Gnas\AppData\Roaming\DVDVideoSoftIEHelpers
[2011/09/01 15:17:11 | 000,000,000 | ---D | M] -- C:\Users\Ursula Gnas\AppData\Roaming\FreeVideoConverter
[2012/09/22 21:33:42 | 000,000,000 | ---D | M] -- C:\Users\Ursula Gnas\AppData\Roaming\Fuis
[2011/03/08 18:50:14 | 000,000,000 | ---D | M] -- C:\Users\Ursula Gnas\AppData\Roaming\Gutscheinmieze
[2012/09/22 21:07:46 | 000,000,000 | ---D | M] -- C:\Users\Ursula Gnas\AppData\Roaming\Hany
[2009/03/23 17:54:59 | 000,000,000 | ---D | M] -- C:\Users\Ursula Gnas\AppData\Roaming\ICQ
[2010/01/26 17:26:01 | 000,000,000 | ---D | M] -- C:\Users\Ursula Gnas\AppData\Roaming\IN-MEDIAKG
[2012/11/14 20:56:59 | 000,000,000 | ---D | M] -- C:\Users\Ursula Gnas\AppData\Roaming\LimeWire
[2007/09/10 13:41:05 | 000,000,000 | ---D | M] -- C:\Users\Ursula Gnas\AppData\Roaming\MAGIX
[2009/05/22 19:46:08 | 000,000,000 | ---D | M] -- C:\Users\Ursula Gnas\AppData\Roaming\NewSoft
[2010/11/05 09:44:32 | 000,000,000 | ---D | M] -- C:\Users\Ursula Gnas\AppData\Roaming\OpenOffice.org
[2011/05/20 20:10:47 | 000,000,000 | ---D | M] -- C:\Users\Ursula Gnas\AppData\Roaming\Opera
[2008/08/25 19:22:03 | 000,000,000 | ---D | M] -- C:\Users\Ursula Gnas\AppData\Roaming\ScanSoft
[2011/03/11 15:17:43 | 000,000,000 | ---D | M] -- C:\Users\Ursula Gnas\AppData\Roaming\ShinyTales
[2008/10/22 18:40:33 | 000,000,000 | ---D | M] -- C:\Users\Ursula Gnas\AppData\Roaming\Sonavis
[2011/01/28 15:30:48 | 000,000,000 | ---D | M] -- C:\Users\Ursula Gnas\AppData\Roaming\SumatraPDF
[2007/09/06 18:52:01 | 000,000,000 | ---D | M] -- C:\Users\Ursula Gnas\AppData\Roaming\Template
[2007/09/05 16:11:52 | 000,000,000 | ---D | M] -- C:\Users\Ursula Gnas\AppData\Roaming\Ulead Systems
[2012/08/09 14:26:28 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\.minecraft
[2007/11/28 16:51:04 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\.pknowledge
[2010/09/03 17:25:49 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\ASCON Installer
[2007/09/13 15:41:44 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\BullGuard
[2008/11/30 11:50:09 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\Canon
[2009/07/22 16:20:16 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\com.boomerang.virtualpet.VirtualPuppy.9FF3ACFC898E08433FEA147D91B7D0C65CBC0149.1
[2012/10/09 17:09:33 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\CoSoSys
[2011/03/26 14:54:52 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\de.closeup.fotowerkstatt.001F9DF2D0BAABEB11F42CCEE43224607B61109C.1
[2009/09/16 15:31:59 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\Desktopicon
[2012/11/14 21:19:09 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\Dropbox
[2011/09/01 16:17:13 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\DVDVideoSoft
[2009/09/03 16:08:51 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\Flock
[2012/06/08 13:50:23 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\FreeVideoConverter
[2010/08/29 13:59:33 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\gtk-2.0
[2008/10/17 09:29:27 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\ICQ
[2008/05/02 14:49:44 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\InterVideo
[2011/09/30 13:25:14 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\OpenOffice.org
[2011/04/07 14:11:17 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\Opera
[2010/02/12 12:17:16 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\phonostar GmbH
[2007/11/07 15:36:48 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\Sonavis
[2007/09/24 17:09:44 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\Template
[2007/09/08 12:58:28 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\Ulead Systems
[2010/02/21 15:38:37 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\VMedia
[2008/11/29 09:51:57 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\Zylom
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 949 bytes -> C:\Users\Ursula Gnas\Anmeldung_Auftrag DP11645686 - Kunde_Gnas,  UrsulaBerlin.eml:OECustomProperty
@Alternate Data Stream - 936 bytes -> C:\Users\Ursula Gnas\Documents\Re_ Überweisung und Vorschlag bzgl_ weiterem Vorgehen.eml:OECustomProperty
@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:6FD3C973

< End of report >
         
--- --- ---
Extras.txt:OTL Logfile:
Code:
ATTFilter
OTL Extras logfile created on: 11/14/2012 9:22:13 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Verena\Documents
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
1.99 Gb Total Physical Memory | 0.70 Gb Available Physical Memory | 35.10% Memory free
4.21 Gb Paging File | 2.84 Gb Available in Paging File | 67.33% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 119.00 Gb Total Space | 53.60 Gb Free Space | 45.05% Space Free | Partition Type: NTFS
Drive D: | 30.04 Gb Total Space | 20.61 Gb Free Space | 68.60% Space Free | Partition Type: FAT32
 
Computer Name: URSULAGNAS-PC | User Name: Ursula Gnas | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = Opera.HTML] -- C:\Program Files\Opera\Opera.exe (Opera Software)
 
[HKEY_USERS\S-1-5-21-2422886476-3853793481-2147584669-1003\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found
 
[HKEY_USERS\S-1-5-21-2422886476-3853793481-2147584669-1005\SOFTWARE\Classes\<extension>]
.html [@ = Opera.HTML] -- C:\Users\Verena\AppData\Local\Programs\Opera\Opera.exe (Opera Software)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Opera\Opera.exe" "%1" (Opera Software)
https [open] -- "C:\Program Files\Opera\Opera.exe" "%1" (Opera Software)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{2B404A06-B587-441B-8508-574197EE5664}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{35F68AF2-3C32-467E-AA94-A7E1EDA7E959}" = lport=2869 | protocol=6 | dir=in | app=system | 
"{3B5140AF-9441-44D4-9BB7-17A2834E8641}" = lport=445 | protocol=6 | dir=in | app=system | 
"{43EF6138-AD6E-44B4-80A0-06A8B56A1E94}" = rport=137 | protocol=17 | dir=out | app=system | 
"{48445252-CEFB-44DD-A8F3-1B309830FAD6}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe | 
"{4E6BF190-640D-4BF4-9626-0504AD6F60B5}" = rport=138 | protocol=17 | dir=out | app=system | 
"{4FBB3CF8-7B9D-499E-8E15-7CDE0DF18B8B}" = lport=139 | protocol=6 | dir=in | app=system | 
"{5E7E378A-AED3-4010-9978-57620F97446C}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe | 
"{71A20DCA-BF23-4822-86E7-0C54D914A04F}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{7DA37AA9-C677-403D-8F69-0686704FE5EE}" = rport=445 | protocol=6 | dir=out | app=system | 
"{93DA0FC7-B2D8-4C99-9AF1-49B07E1618EC}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{A0CD124C-0DFD-4CC3-80FC-361392C8AB96}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | 
"{AF1172AF-59AA-4611-B521-2B8E5219113D}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe | 
"{B7BF7815-6F48-4A6A-9166-27B772895CD4}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | 
"{B8381C8A-70FD-4A7D-B069-52DD3514A87E}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe | 
"{C0DC0D92-42A1-4E07-A635-6BCA8F03913D}" = rport=139 | protocol=6 | dir=out | app=system | 
"{C6633CDE-3669-4250-AF1D-23730B025600}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe | 
"{DFFC37CF-DC71-4304-B698-2ADE24891997}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{E00D995A-EE1F-4ED5-BB02-0B4D974F1E1E}" = lport=138 | protocol=17 | dir=in | app=system | 
"{F0C85710-603A-4908-A983-1B9039837A2E}" = lport=137 | protocol=17 | dir=in | app=system | 
"{F96A3BF6-B297-40BC-9F32-8965FEA1E8C8}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe | 
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{03082FF1-2E27-4CF6-8ABA-837F151757C1}" = protocol=17 | dir=in | app=c:\program files\pinnacle\videospin\programs\rm.exe | 
"{051E6A70-6126-4C9A-9816-703F0F700716}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqgpc01.exe | 
"{05A11FC7-5CA4-4E6C-9C87-1BAD3B4E6291}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqusgm.exe | 
"{0C88D5C7-D0F2-4DA2-9138-F23B3903FD85}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | 
"{0E22AD1C-9DFD-4D05-A1B7-1A13D0B09F6C}" = protocol=17 | dir=in | app=c:\program files\pinnacle\videospin\programs\videospin.exe | 
"{1238CD5D-D507-4072-AF12-D16EA22EC589}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpofxs08.exe | 
"{16A82BA1-9A49-48C1-AE21-EBAD7E336A94}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqkygrp.exe | 
"{173049DD-BB4A-4461-96F6-86543770D65F}" = protocol=6 | dir=in | app=c:\program files\pinnacle\videospin\programs\videospin.exe | 
"{1747FACC-F786-4B86-90B8-DD68DF47A8E0}" = protocol=17 | dir=in | app=c:\users\verena\appdata\roaming\dropbox\bin\dropbox.exe | 
"{189CC824-B11A-4014-936D-1D3A602BE0A8}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqtra08.exe | 
"{19F9BCD8-248B-4B8C-A64B-5ED45C1D64D2}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpoews01.exe | 
"{1C06827B-0B4E-4521-8809-77C8259009AE}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpofxm08.exe | 
"{1F09F116-AC2C-4ECD-9777-79763B72BB06}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | 
"{25D9EF95-DC57-4532-B904-6CE7D6DBFAD5}" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe | 
"{2657836C-2472-4F51-8CE9-E1427AA79788}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe | 
"{36B76DA6-35AA-479A-9C88-4392F01313B7}" = dir=in | app=c:\program files\msn messenger\msnmsgr.exe | 
"{36B8CDC8-A74E-4030-ACEB-A1983E252845}" = dir=in | app=c:\program files\hp\digital imaging\bin\hposfx08.exe | 
"{3AE2FBD3-AF37-464B-918C-F437F2C8EC07}" = protocol=6 | dir=in | app=c:\program files\windows searchqu toolbar\datamngr\toolbar\dtuser.exe | 
"{41718033-6D52-4893-9F2C-1005DDF9F60B}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | 
"{42A9789A-32DD-49D8-AB58-56F97299CECE}" = dir=in | app=c:\program files\hp\hp software update\hpwucli.exe | 
"{4368AA7B-D442-4036-B45D-CD59BE3AA5F1}" = protocol=17 | dir=in | app=c:\program files\opera\opera.exe | 
"{44CE3DAE-D928-41D1-8DEF-957B3B0B6B4D}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 
"{5A5DAA8B-4681-4594-9E74-B7D6586DD783}" = dir=in | app=c:\program files\hp\digital imaging\smart web printing\smartwebprintexe.exe | 
"{5B30D2B9-3AA6-4091-8B69-DDD2FAA1C800}" = dir=in | app=c:\program files\hp\digital imaging\bin\hposid01.exe | 
"{5DDBF92A-8B37-4D44-B8E2-571CEAE2D345}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe | 
"{5F5AF7D2-487F-4AE4-A106-A504DAE00320}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqusgh.exe | 
"{67C8B715-C451-458D-8F93-77CFEFFD4F6B}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqfxt08.exe | 
"{6B04FD92-7DAB-4CFD-B43A-1E49168A3922}" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe | 
"{7600E43F-6320-41B0-98E5-8303D3D2C48E}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe | 
"{82585F82-ADD5-4EB5-B33A-2D3E6B7277FF}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqste08.exe | 
"{83131CC3-1563-4E39-BA8C-86501DA3AE21}" = protocol=6 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe | 
"{86810B14-6669-41A0-87CA-EC259EE41EC8}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe | 
"{A353834D-A986-43EF-BE4D-277A1C5E31B9}" = protocol=6 | dir=in | app=c:\program files\pinnacle\videospin\programs\umi.exe | 
"{A9318A6B-978F-4CF6-A252-754336B52578}" = protocol=17 | dir=in | app=c:\program files\windows searchqu toolbar\datamngr\toolbar\dtuser.exe | 
"{B252BC31-9605-41E4-A9DE-B74CFF671C9D}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | 
"{B4C4F9DB-2428-42C7-BE74-E993489B51AE}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpzwiz01.exe | 
"{B5082DCF-FB59-457F-97A2-D63F8AE8DFAF}" = dir=in | app=c:\program files\msn messenger\livecall.exe | 
"{B88BF8F2-6463-43A7-AD75-F5ACF81CFD60}" = protocol=6 | dir=in | app=c:\program files\pinnacle\videospin\programs\rm.exe | 
"{BCAC798E-9B72-4F51-BD45-A73B9DA1EFE8}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 
"{BCC5B7FE-0747-462E-9E14-5C1868E83E89}" = protocol=6 | dir=in | app=c:\program files\opera\opera.exe | 
"{BD625F33-9D4B-49A6-85F9-752E706BC27A}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpfccopy.exe | 
"{BDDD5A65-8E58-43B2-84DB-42AE14E218FC}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpiscnapp.exe | 
"{BF771245-A1AC-47A8-B1A1-079645A2E58F}" = protocol=6 | dir=in | app=c:\users\verena\appdata\roaming\dropbox\bin\dropbox.exe | 
"{C36E771D-8C7C-45CE-9EEF-39E354E2FF45}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | 
"{D4C216C5-CA96-458D-945E-9FE738555719}" = protocol=17 | dir=in | app=c:\program files\opera\pluginwrapper\opera_plugin_wrapper.exe | 
"{D60339EE-01B1-45F2-9EBD-3F656CDA0D93}" = protocol=6 | dir=in | app=c:\program files\giraffic\giraffic.exe | 
"{D8C62779-D560-4F92-83F8-0DF5A8B88DBD}" = protocol=17 | dir=in | app=c:\program files\giraffic\giraffic.exe | 
"{E6BC0548-4175-44AF-8B9C-93379DFD465A}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | 
"{E86029FF-386B-42F6-B0C2-BEBEE0D1C97A}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | 
"{EBA3DB16-4CD8-4F78-BCA0-C3CACE637356}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | 
"{EFBD8F08-A315-45ED-863D-1D0EFC2A23A0}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqgplgtupl.exe | 
"{F74998ED-9FF9-4D8C-BC13-BD666FE67CB3}" = protocol=6 | dir=in | app=c:\program files\opera\pluginwrapper\opera_plugin_wrapper.exe | 
"{FB62E809-13ED-4E21-AC1A-065F1378B861}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | 
"{FC6720A9-BDCD-4A5D-B868-DC237B5075E0}" = protocol=17 | dir=in | app=c:\program files\pinnacle\videospin\programs\umi.exe | 
"{FC6BEDC5-A23E-40C8-8750-D8515AD9A2E8}" = protocol=17 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe | 
"TCP Query User{09D732FC-B93A-4707-BA01-151E14A64F0A}C:\program files\real\realplayer\recordingmanager.exe" = protocol=6 | dir=in | app=c:\program files\real\realplayer\recordingmanager.exe | 
"TCP Query User{0D33D9F8-370D-4FAF-AEB3-54C94A3428A3}C:\users\ursula gnas\appdata\local\temp\cprogram filesopera\operaupgrader.exe" = protocol=6 | dir=in | app=c:\users\ursula gnas\appdata\local\temp\cprogram filesopera\operaupgrader.exe | 
"TCP Query User{505364F9-A1D4-475A-B787-11E57C6C0E53}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe | 
"TCP Query User{5F2A51C2-E8B7-4F9C-B2E2-238E7E55A6A2}C:\program files\icq6.5\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq6.5\icq.exe | 
"TCP Query User{62894636-093A-448F-9D99-A3939B8D6788}C:\program files\opera\opera.exe" = protocol=6 | dir=in | app=c:\program files\opera\opera.exe | 
"TCP Query User{641B56D9-9348-403B-84DF-AD6124F98988}C:\program files\icq6\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq6\icq.exe | 
"TCP Query User{91DB75D5-DAED-4DE8-82F6-1CF9F8391E0F}C:\users\verena\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=6 | dir=in | app=c:\users\verena\appdata\roaming\dropbox\bin\dropbox.exe | 
"TCP Query User{954938C9-02F2-40A6-9FC0-86EC6A2260EC}C:\users\verena\appdata\local\programs\opera\opera.exe" = protocol=6 | dir=in | app=c:\users\verena\appdata\local\programs\opera\opera.exe | 
"TCP Query User{9F17D443-D8D9-431A-B10B-9BFECD8B8DAD}C:\users\verena\appdata\local\programs\opera\opera.exe" = protocol=6 | dir=in | app=c:\users\verena\appdata\local\programs\opera\opera.exe | 
"TCP Query User{A09D9804-34EA-4E3D-939A-A224114D404A}C:\users\ursula gnas\appdata\local\temp\cprogram filesopera\operaupgrader.exe" = protocol=6 | dir=in | app=c:\users\ursula gnas\appdata\local\temp\cprogram filesopera\operaupgrader.exe | 
"TCP Query User{A7066F63-68D3-47EC-A5EE-15F6F8D0559D}C:\program files\freeciv-2.0.9-gtk2\civclient.exe" = protocol=6 | dir=in | app=c:\program files\freeciv-2.0.9-gtk2\civclient.exe | 
"TCP Query User{B1012B3A-C2DC-4256-873C-04EFDED6C452}C:\program files\veoh networks\veohwebplayer\veohwebplayer.exe" = protocol=6 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe | 
"TCP Query User{EC4FF5EB-BE8D-489C-AB05-B540DA434F76}C:\program files\videolan\vlc\vlc.exe" = protocol=6 | dir=in | app=c:\program files\videolan\vlc\vlc.exe | 
"TCP Query User{F0DA33E7-CB31-40FC-A942-6D5158B99FA4}C:\program files\freeciv-2.0.9-gtk2\civserver.exe" = protocol=6 | dir=in | app=c:\program files\freeciv-2.0.9-gtk2\civserver.exe | 
"TCP Query User{F2B290C7-80C1-40D4-B3CB-19A452287FCB}C:\program files\microsoft office\office12\groove.exe" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe | 
"TCP Query User{FF796FC5-13CE-4C39-A9DD-EF81925620D5}C:\program files\icq6.5\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq6.5\icq.exe | 
"UDP Query User{13848698-1968-41D7-A81A-6716496CE547}C:\users\ursula gnas\appdata\local\temp\cprogram filesopera\operaupgrader.exe" = protocol=17 | dir=in | app=c:\users\ursula gnas\appdata\local\temp\cprogram filesopera\operaupgrader.exe | 
"UDP Query User{39515BBE-FECD-4C63-92A4-B5A3616A0674}C:\users\verena\appdata\local\programs\opera\opera.exe" = protocol=17 | dir=in | app=c:\users\verena\appdata\local\programs\opera\opera.exe | 
"UDP Query User{3C4BBF75-4BA1-448B-87FC-1FD9D5EF99B7}C:\users\verena\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=17 | dir=in | app=c:\users\verena\appdata\roaming\dropbox\bin\dropbox.exe | 
"UDP Query User{50EA9608-D576-4684-9A11-BC5452056684}C:\program files\freeciv-2.0.9-gtk2\civserver.exe" = protocol=17 | dir=in | app=c:\program files\freeciv-2.0.9-gtk2\civserver.exe | 
"UDP Query User{5C9D1028-91BC-4E1F-B1E5-BAFAAA264798}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe | 
"UDP Query User{6B7EC544-765F-4087-92BA-F037AE1AED81}C:\program files\videolan\vlc\vlc.exe" = protocol=17 | dir=in | app=c:\program files\videolan\vlc\vlc.exe | 
"UDP Query User{727E6E51-2F5C-46DA-BF9A-0AD21F91F40A}C:\users\verena\appdata\local\programs\opera\opera.exe" = protocol=17 | dir=in | app=c:\users\verena\appdata\local\programs\opera\opera.exe | 
"UDP Query User{824434B5-35D8-4B8E-9600-C3F15BAA1B2E}C:\program files\opera\opera.exe" = protocol=17 | dir=in | app=c:\program files\opera\opera.exe | 
"UDP Query User{9254165B-0921-4B32-8767-20E0BE0D4936}C:\program files\freeciv-2.0.9-gtk2\civclient.exe" = protocol=17 | dir=in | app=c:\program files\freeciv-2.0.9-gtk2\civclient.exe | 
"UDP Query User{94E153D8-7FD2-4065-93D8-AF8DE2080856}C:\program files\icq6.5\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq6.5\icq.exe | 
"UDP Query User{98CC1495-5B1D-4D8A-A3DD-968D2D826005}C:\program files\icq6.5\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq6.5\icq.exe | 
"UDP Query User{A452D340-D29F-4DBD-AF23-BCEC7CC32C55}C:\program files\icq6\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq6\icq.exe | 
"UDP Query User{A6A3DA05-DC5E-4CB2-87A6-F557AAA2E02D}C:\program files\real\realplayer\recordingmanager.exe" = protocol=17 | dir=in | app=c:\program files\real\realplayer\recordingmanager.exe | 
"UDP Query User{C53B193B-0D7E-40E6-A950-61E8D58B9539}C:\program files\microsoft office\office12\groove.exe" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe | 
"UDP Query User{DE608265-B36C-47A4-9FC8-DCF7D0222E31}C:\users\ursula gnas\appdata\local\temp\cprogram filesopera\operaupgrader.exe" = protocol=17 | dir=in | app=c:\users\ursula gnas\appdata\local\temp\cprogram filesopera\operaupgrader.exe | 
"UDP Query User{EF0A1420-EC62-4E87-9667-3B2F900D7CE7}C:\program files\veoh networks\veohwebplayer\veohwebplayer.exe" = protocol=17 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{026C3D27-9BE1-46BE-BEAE-6DE38A0F4FBE}" = RealNetworks - Microsoft Visual C++ 2005 Runtime
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{08E4F3CE-A34E-4667-8DE9-147249FAE468}" = Mein Geld Professional
"{0E5C4DE6-101B-11D6-986D-00500443CF9F}" = Sven Bømwøllen DL
"{0F367CA3-3B2F-43F9-A44A-25A8EE69E45D}" = Scan
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX300_series" = Canon MX300 series
"{11AFE21E-B193-430D-B57A-DFF7815BB962}" = Ulead PhotoImpact 12
"{175F0111-2968-4935-8F70-33108C6A4DE3}" = MarketResearch
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = InterVideo WinDVD 8
"{21209AE8-1E93-4289-A88F-5EE0F22CF9F8}" = Scrapbook Flair
"{21A2F5EE-1DC5-488A-BE7E-E526F8C61488}" = DeviceDiscovery
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 30
"{279DB581-239C-4E13-97F8-0F48E40BE75C}" = Windows Live Messenger
"{27FDF949-69CE-435A-8372-339F72336AC5}" = MEDIONbox
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{2934DCB0-F8EE-11E0-A4A5-B8AC6F97B88E}" = Google Earth Plug-in
"{2CCBABCB-6427-4A55-B091-49864623C43F}" = Google Toolbar for Firefox
"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
"{2EFA4E4C-7B5F-48F7-A1C0-1AA882B7A9C3}" = HP Update
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java(TM) SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{34F0D55F-C386-4195-9A5B-961D3F6ACD46}" = InterVideo MediaOne Gallery
"{36C3A0DA-07E0-4173-A406-D9308C1CBDAB}" = ArcSoft VideoImpression 2
"{399C37FB-08AF-493B-BFED-20FBD85EDF7F}" = Suyin Live Camera
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3D24A762-F5A2-41C1-9F0A-300B4D8D5A2B}" = Mathe Klasse 8-10
"{3D5E5C0A-5B36-4F98-99A7-287F7DBDCE03}" = Skype Plugin Manager
"{3E8C2BA2-F4CA-4A1D-A690-6B9A411DAF8B}" = ArcSoft PhotoImpression 5
"{3EB6F78A-66E3-434f-BD0E-76C7D078DB5E}" = 4500G510af_Software_Min
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{43CDF946-F5D9-4292-B006-BA0D92013021}" = WebReg
"{440B915A-0C85-45DB-92AE-75AE14704A64}" = Fax
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
"{4C73B683-B15D-4B94-AC7A-520B70C4FFE9}" = Sceneo AbsolutTV
"{4E868D3D-6EEB-4273-926C-2287236B5B79}" = 3DVIA player 5.0
"{4EA2F95F-A537-4d17-9E7F-6B3FF8D9BBE3}" = Microsoft Works
"{552C83B7-0013-42EA-B285-1997D129DD53}" = SA31xx Device Manager & Media Converter
"{55D65D27-C0CD-4375-9021-F3D3D024ED90}_is1" = Minecraft PC Gamer Demo version 1.5
"{5BDD4025-01EB-4698-9238-9F783C26CFAE}" = ORGA 900 (CD 05.2009)
"{63B75E16-F290-4FCD-AF67-A9134CD01031}" = Nero 7 Essentials
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{68A10D12-0D0F-4212-BDE6-D87FAD32A8FA}" = SmartWebPrinting
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6B2FFB21-AC88-45C3-9A7D-4BB3E744EC91}" = HPSSupply
"{6BBA26E9-AB03-4FE7-831A-3535584CA002}" = Toolbox
"{70C592EC-AE9B-4734-928B-676E824FB41E}" = MFC RunTime files
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{77F69001-4D35-4BEA-A074-26DA04EA0CDA}" = MegaCam
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
"{895722FE-25FE-4854-95AC-B0C42F9DBEDA}" = REALTEK RTL8187B Wireless LAN Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8B9F50F9-BA6F-47c5-990B-76A74A1C68B0}" = 4500G510af
"{8D15E1B2-D2B7-4A17-B44B-D2DDE5981406}" = iLivid
"{8D1E61D1-1395-4E97-997F-D002DB3A5074}" = OpenOffice.org 3.2
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{8F8D9297-FDD2-405A-97E7-E52C7B2F97B3}" = Ulead VideoStudio SE DVD
"{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007
"{90120000-0015-0407-0000-0000000FF1CE}_ENTERPRISER_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_ENTERPRISER_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_ENTERPRISER_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2007
"{90120000-0019-0407-0000-0000000FF1CE}_ENTERPRISER_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007
"{90120000-001A-0407-0000-0000000FF1CE}_ENTERPRISER_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_ENTERPRISER_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_ENTERPRISER_{928D7B99-2BEA-49F9-83B8-20FA57860643}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0407-0000-0000000FF1CE}_HOMESTUDENTR_{928D7B99-2BEA-49F9-83B8-20FA57860643}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISER_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISER_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_ENTERPRISER_{A23BFC95-4A73-410F-9248-4C2B48E38C49}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0410-0000-0000000FF1CE}_HOMESTUDENTR_{A23BFC95-4A73-410F-9248-4C2B48E38C49}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-0044-0407-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2007
"{90120000-0044-0407-0000-0000000FF1CE}_ENTERPRISER_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_ENTERPRISER_{A6353E8F-5B8D-47CC-8737-DFF032ED3973}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-0407-0000-0000000FF1CE}_HOMESTUDENTR_{A6353E8F-5B8D-47CC-8737-DFF032ED3973}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
"{90120000-00A1-0407-0000-0000000FF1CE}_ENTERPRISER_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00BA-0407-0000-0000000FF1CE}" = Microsoft Office Groove MUI (German) 2007
"{90120000-00BA-0407-0000-0000000FF1CE}_ENTERPRISER_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel(R) Matrix Storage Manager
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{92127AF5-FDD8-4ADF-BC40-C356C9EE0B7D}" = 32 Bit HP CIO Components Installer
"{92A51949-EE4C-466D-AAF0-99E74A49A63F}" = DocMgr
"{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}" = Apple Mobile Device Support
"{98736A65-3C79-49EC-B7E9-A3C77774B0E6}" = Google SketchUp 6
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9B362566-EC1B-4700-BB9C-EC661BDE2175}" = DocProc
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9CF4A37B-A8C4-44D7-8C53-13B9D9594BB2}" = Paint.NET v3.5.8
"{A7E19604-93AF-4611-8C9F-CE509C2B286E}_is1" = VDownloader 2.7.322
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA047D7C-5E7C-4878-B75C-77589151B563}" = SUYIN webcam
"{AC76BA86-7AD7-1031-7B44-A95000000001}" = Adobe Reader 9.5.2 - Deutsch
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AE8705FB-E13C-40A9-8A2D-68D6733FBFC2}" = Status
"{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
"{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}" = Google SketchUp 6
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{B9845F2F-455C-4E76-9599-159AE471DB59}_is1" = Subvein Mutant Factions v0.71
"{BD7204BA-DD64-499E-9B55-6A282CDF4FA4}" = Destinations
"{C07AC662-A823-B19B-72A4-606096DCE07A}" = CloseUp-Fotowerkstatt
"{C175D5B0-ED04-42C9-B23F-D8BD406173E7}" = 4500_G510af_Help
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{C7340571-7773-4A8C-9EBC-4E4243B38C76}" = Microsoft XML Parser
"{C98517B6-DCE9-49B7-B19E-E384178D3986}" = HP Officejet 4500 G510a-f
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCC8E84E-AB61-4EC0-890D-8B553915B3AD}" = TVsweeper
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0846526-66DD-4DC9-A02C-98F9A2806812}" = Launch Manager V1.3.9
"{D16D8A48-65A4-4B19-8A02-DC9A40FB80C4}" = Norton Security Scan
"{DC0A5F99-FD66-433F-9D3A-05DCBA64BE42}" = TrayApp
"{DE470016-1C64-11D5-982A-0050DA602C65}" = Löwenzahn 5
"{DEE88727-779B-47A9-ACEF-F87CA5F92A65}" = ScanSoft OmniPage SE 4
"{E1180142-3B31-4DCC-9D27-7AC2D37662BF}" = LightScribe  1.4.124.1
"{E572B060-C98B-4984-A48E-E4FA56265903}" = SA31xx Device Manager & Media Converter
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{FA0BBB87-91A1-4BFD-9005-EB058BBA0E14}_is1" = StreamTransport version: 1.0.2.2171
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"ALDI Foto Manager Free Nord D" = ALDI Foto Manager Free Nord 3.4.0.466 (D)
"ALDI Foto Service Nord D" = ALDI Foto Service Nord 1.10.0.61 (D)
"ALDI Fotobuch Druck Service_is1" = ALDI Fotobuch Druck Service
"ALDI Online Druck Service (Nord)" = ALDI Online Druck Service (Nord)
"Artisteer 2" = Artisteer 2
"Avira AntiVir Desktop" = Avira Free Antivirus
"CamStudio" = CamStudio
"CamStudio Lossless Codec_is1" = CamStudio Lossless Codec v1.4
"Canon MX300 series Benutzerregistrierung" = Canon MX300 series Benutzerregistrierung
"CanonMyPrinter" = Canon My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"CCleaner" = CCleaner
"de.closeup.fotowerkstatt.001F9DF2D0BAABEB11F42CCEE43224607B61109C.1" = CloseUp-Fotowerkstatt
"Debut" = Debut Video Capture Software
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"ENTERPRISER" = Microsoft Office Enterprise 2007
"Epikur 3" = Epikur 3
"Extensions for Windows" = Extensions for Windows
"eyrie_screensaver" = eyrie_screensaver
"Firebird SQL Server D" = Firebird SQL Server - MAGIX Edition 2.0.0.1 (D)
"Flock (2.5.2)" = Flock (2.5.2)
"FotoWorks XL_is1" = FotoWorks XL
"Free DVD Video Burner_is1" = Free DVD Video Burner version 3.1.0.602
"Free M4a to MP3 Converter_is1" = Free M4a to MP3 Converter 6.2
"Free Realms Installer" = Free Realms Installer
"Free Video Converter_is1" = Free Video Converter V 3.0
"Free Video to DVD Converter_is1" = Free Video to DVD Converter version 1.6.21.602
"Free Video to MP3 Converter_is1" = Free Video to MP3 Converter version 4.3.815
"Free YouTube Download_is1" = Free YouTube Download version 3.0.14.908
"Freeciv-2.0.9-gtk2" = Freeciv 2.0.9 (GTK+ client)
"GM(S) - Toolbar" = GM(S) - Toolbar
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"HP Document Manager" = HP Document Manager 2.0
"HP Imaging Device Functions" = HP Imaging Device Functions 13.0
"HP Smart Web Printing" = HP Smart Web Printing 4.5
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"HPExtendedCapabilities" = HP Customer Participation Program 13.0
"HPOCR" = OCR Software by I.R.I.S. 13.0
"HyperCam 2" = HyperCam 2
"iLivid" = iLivid
"ImTOO MP4 Video Converter" = ImTOO MP4 Video Converter
"InstallShield_{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = InterVideo WinDVD 8
"LetsTrade" = LetsTrade Komponenten
"LimeWire" = LimeWire 5.4.6
"LoeweLex" = Löwenzahn Lexikon
"MEDION Fotos auf CD Nord D" = MEDION Fotos auf CD Nord 6.0.2.0 (D)
"Microsoft .NET Framework 1.1  (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"MP Navigator EX 1.0" = Canon MP Navigator EX 1.0
"Neopets - Blossom" = Neopets - Blossom Screen Saver
"Neopets - Gnomes raid the Pant Devil" = Neopets - Gnomes raid the Pant Devil Screen Saver
"NSSSetup.{D16D8A48-65A4-4B19-8A02-DC9A40FB80C4}" = Norton Security Scan (Symantec Corporation)
"OpenAL" = OpenAL
"Opera 11.60.1185" = Opera 11.60
"Opera 12.10.1652" = Opera 12.10
"Picasa 3" = Picasa 3
"Plants vs. Zombies" = Plants vs. Zombies
"Prism" = Prism Video Converter
"PsychoDat Einzelversion Demo" = PsychoDat Einzelversion Demo
"Psycom" = Psycom
"RealPlayer 12.0" = RealPlayer
"Searchqu 0 MediaBar" = Windows Searchqu Toolbar
"Shop for HP Supplies" = Shop for HP Supplies
"Skype_is1" = eBay.de - Skype 3.0
"SMSERIAL" = Motorola SM56 Data Fax Modem
"Stardoll Toolbar" = Stardoll Toolbar
"SumatraPDF" = SumatraPDF
"SUPER ©" = SUPER © Version 2009.bld.36 (June 10, 2009)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Uninstall_is1" = Uninstall 1.0.0.1
"Veoh Web Player Beta" = Veoh Web Player
"Veoh_Web_Player Toolbar" = Veoh Web Player Toolbar
"VLC media player" = VLC media player 1.1.5
"WinGimp-2.0_is1" = GIMP 2.6.6
"Yahoo! Companion" = Yahoo! Toolbar
 
========== HKEY_USERS Uninstall List ==========
 
[HKEY_USERS\S-1-5-21-2422886476-3853793481-2147584669-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
 
========== HKEY_USERS Uninstall List ==========
 
[HKEY_USERS\S-1-5-21-2422886476-3853793481-2147584669-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
"HappyCloud" = Happy Cloud Client
"LOTROde" = Der Herr der Ringe Online
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer
"Opera 12.10.1652" = Opera 12.10
"phonostar3RadioPlayer_is1" = phonostar-Player Version 3.01.3
"PhotoStage" = PhotoStage Slideshow Producer
"Prism" = Prism Video File Converter
"Sweet Home 3D" = Sweet Home 3D
"UnityWebPlayer" = Unity Web Player
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 11/9/2012 3:42:48 PM | Computer Name = UrsulaGnas-PC | Source = Windows Search Service | ID = 9000
Description = 
 
Error - 11/9/2012 3:42:48 PM | Computer Name = UrsulaGnas-PC | Source = Windows Search Service | ID = 7040
Description = 
 
Error - 11/9/2012 3:42:48 PM | Computer Name = UrsulaGnas-PC | Source = Windows Search Service | ID = 9002
Description = 
 
Error - 11/9/2012 3:42:48 PM | Computer Name = UrsulaGnas-PC | Source = Windows Search Service | ID = 3029
Description = 
 
Error - 11/9/2012 3:42:50 PM | Computer Name = UrsulaGnas-PC | Source = Windows Search Service | ID = 3029
Description = 
 
Error - 11/9/2012 3:42:50 PM | Computer Name = UrsulaGnas-PC | Source = Windows Search Service | ID = 3028
Description = 
 
Error - 11/9/2012 3:42:50 PM | Computer Name = UrsulaGnas-PC | Source = Windows Search Service | ID = 3058
Description = 
 
Error - 11/10/2012 8:24:36 AM | Computer Name = UrsulaGnas-PC | Source = Application Error | ID = 1000
Description = Fehlerhafte Anwendung hpqgpc01.exe, Version 130.0.14.16, Zeitstempel
 0x49dd90d9, fehlerhaftes Modul hpqgpc01.exe, Version 130.0.14.16, Zeitstempel 0x49dd90d9,
 Ausnahmecode 0xc0000005, Fehleroffset 0x0000a267,  Prozess-ID 0x1688, Anwendungsstartzeit
 01cdbf3e04c150e0.
 
Error - 11/10/2012 8:32:52 AM | Computer Name = UrsulaGnas-PC | Source = Windows Search Service | ID = 3024
Description = 
 
Error - 11/13/2012 12:26:09 PM | Computer Name = UrsulaGnas-PC | Source = Application Error | ID = 1000
Description = Fehlerhafte Anwendung hpqgpc01.exe, Version 130.0.14.16, Zeitstempel
 0x49dd90d9, fehlerhaftes Modul hpqgpc01.exe, Version 130.0.14.16, Zeitstempel 0x49dd90d9,
 Ausnahmecode 0xc0000005, Fehleroffset 0x0000a267,  Prozess-ID 0x1660, Anwendungsstartzeit
 01cdc1bb37230720.
 
[ OSession Events ]
Error - 12/22/2007 1:16:06 PM | Computer Name = UrsulaGnas-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 224
 seconds with 180 seconds of active time.  This session ended with a crash.
 
Error - 9/29/2010 3:32:52 PM | Computer Name = UrsulaGnas-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
 12.0.6541.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 8268
 seconds with 4620 seconds of active time.  This session ended with a crash.
 
Error - 2/10/2011 11:56:34 AM | Computer Name = UrsulaGnas-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 115
 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error - 1/12/2012 5:05:13 AM | Computer Name = UrsulaGnas-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1549
 seconds with 1440 seconds of active time.  This session ended with a crash.
 
Error - 4/15/2012 4:27:29 AM | Computer Name = UrsulaGnas-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
 12.0.6607.1000, Microsoft Office Version: 12.0.6612.1000. This session lasted 3
 seconds with 0 seconds of active time.  This session ended with a crash.
 
[ System Events ]
Error - 11/13/2012 12:21:56 PM | Computer Name = UrsulaGnas-PC | Source = Service Control Manager | ID = 7026
Description = 
 
Error - 11/13/2012 2:45:43 PM | Computer Name = UrsulaGnas-PC | Source = Service Control Manager | ID = 7026
Description = 
 
Error - 11/14/2012 6:50:24 AM | Computer Name = UrsulaGnas-PC | Source = Service Control Manager | ID = 7026
Description = 
 
Error - 11/14/2012 12:59:26 PM | Computer Name = UrsulaGnas-PC | Source = Service Control Manager | ID = 7026
Description = 
 
Error - 11/14/2012 1:16:39 PM | Computer Name = UrsulaGnas-PC | Source = DCOM | ID = 10010
Description = 
 
Error - 11/14/2012 1:20:33 PM | Computer Name = UrsulaGnas-PC | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am 14.11.2012 um 18:18:50 unerwartet heruntergefahren.
 
Error - 11/14/2012 1:22:03 PM | Computer Name = UrsulaGnas-PC | Source = Service Control Manager | ID = 7026
Description = 
 
Error - 11/14/2012 2:26:34 PM | Computer Name = UrsulaGnas-PC | Source = Service Control Manager | ID = 7026
Description = 
 
Error - 11/14/2012 3:30:57 PM | Computer Name = UrsulaGnas-PC | Source = Service Control Manager | ID = 7026
Description = 
 
Error - 11/14/2012 3:50:02 PM | Computer Name = UrsulaGnas-PC | Source = DCOM | ID = 10010
Description = 
 
 
< End of report >
         
--- --- ---

Alt 15.11.2012, 00:30   #2
t'john
/// Helfer-Team
 
Computer von FBI Ransomware befallen - Standard

Computer von FBI Ransomware befallen





Die Bereinigung besteht aus mehreren Schritten, die ausgefuehrt werden muessen.
Diese Nacheinander abarbeiten und die 4 Logs, die dabei erstellt werden bitte in deine naechste Antwort einfuegen.

Sollte der OTL-FIX nicht richig durchgelaufen sein. Fahre nicht fort, sondern mede dies bitte.

1. Schritt

Fixen mit OTL

Lade (falls noch nicht vorhanden) OTL von Oldtimer herunter und speichere es auf Deinem Desktop (nicht woanders hin).

  • Deaktiviere etwaige Virenscanner wie Avira, Kaspersky etc.
  • Starte die OTL.exe.
    Vista- und Windows 7-User starten mit Rechtsklick auf das Programm-Icon und wählen "Als Administrator ausführen".
  • Kopiere folgendes Skript in das Textfeld unterhalb von Benuterdefinierte Scans/Fixes:
  • Der Fix fängt mit :OTL an. Vergewissere dich, dass du ihn richtig kopiert hast.

Ersetze die *** Sternchen wieder in den Benutzernamen zurück!
Code:
ATTFilter
:OTL
IE - HKU\S-1-5-21-2422886476-3853793481-2147584669-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 129.241.88.65:80 
O4 - HKLM..\Run: [] File not found 
O4 - HKU\S-1-5-21-2422886476-3853793481-2147584669-1003..\Run: [Naugzue] "C:\Users\Ursula Gnas\AppData\Roaming\Anad\xati.exe" File not found 
@Alternate Data Stream - 949 bytes -> C:\Users\Ursula Gnas\Anmeldung_Auftrag DP11645686 - Kunde_Gnas, UrsulaBerlin.eml:OECustomProperty 
@Alternate Data Stream - 936 bytes -> C:\Users\Ursula Gnas\Documents\Re_ Überweisung und Vorschlag bzgl_ weiterem Vorgehen.eml:OECustomProperty 
@Alternate Data Stream - 119 bytes -> C:\ProgramData\Temp:6FD3C973 

[2012/11/14 20:51:42 | 000,000,000 | -HSD | M] -- C:\Users\Bernhard\AppData\Roaming\159485 
 
:Files
C:\ProgramData\*.exe
C:\ProgramData\*.dll
C:\ProgramData\*.tmp
C:\ProgramData\TEMP
C:\Users\*****\*.tmp
C:\Users\*****\AppData\Local\{*}
C:\Users\*****\AppData\Local\Temp\*.exe
C:\Users\*****\AppData\LocalLow\Sun\Java\Deployment\cache
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk
ipconfig /flushdns /c
:Commands
[emptytemp]
         
  • Schließe alle Programme.
  • Klicke auf den Fix Button.
  • Wenn OTL einen Neustart verlangt, bitte zulassen.
  • Kopiere den Inhalt des Logfiles hier in Code-Tags in Deinen Thread.
    Nachträglich kannst Du das Logfile hier einsehen => C:\_OTL\MovedFiles\<datum_nummer.log>

Hinweis für Mitleser: Obiges OTL-Script ist ausschließlich für diesen User in dieser Situtation erstellt worden.
Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen!



2. Schritt
Bitte einen Vollscan mit Malwarebytes Anti-Malware machen und Log posten.
Denk daran, dass Malwarebytes vor jedem Scan manuell aktualisiert werden muss!

Malwarebytes Anti-Malware
- Anwendbar auf Windows 2000, XP, Vista und 7.
- Installiere das Programm in den vorgegebenen Pfad.
- Aktualisiere die Datenbank!
- Aktiviere "Komplett Scan durchführen" => Scan.
- Wähle alle verfügbaren Laufwerke (ausser CD/DVD) aus und starte den Scan.
- Funde bitte löschen lassen oder in Quarantäne.
- Wenn der Scan beendet ist, klicke auf "Zeige Resultate".
danach:

3. Schritt

Downloade Dir bitte AdwCleaner auf deinen Desktop.

  • Starte die adwcleaner.exe mit einem Doppelklick.
  • Klicke auf Search.
  • Nach Ende des Suchlaufs öffnet sich eine Textdatei.
  • Poste mir den Inhalt mit deiner nächsten Antwort.
  • Die Logdatei findest du auch unter C:\AdwCleaner[R1].txt.



4. Schritt
  • Schließe alle offenen Programme und Browser.
  • Starte die adwcleaner.exe mit einem Doppelklick.
  • Klicke auf Delete.
  • Bestätige jeweils mit Ok.
  • Dein Rechner wird neu gestartet. Nach dem Neustart öffnet sich eine Textdatei.
  • Poste mir den Inhalt mit deiner nächsten Antwort.
  • Die Logdatei findest du auch unter C:\AdwCleaner[S1].txt.
__________________

__________________

Alt 15.11.2012, 21:04   #3
MrsLazuli
 
Computer von FBI Ransomware befallen - Standard

Computer von FBI Ransomware befallen



Vielen Dank, für die schnelle Hilfe. Habe alle Schritte durchgeführt, hat ohne Probleme geklappt. Soweit ich das erkennen kann scheint der Trojaner entfernt zu sein. Der betroffene Benutzer lässt sich wieder ohne Einschränkungen verwenden. Hier noch die Logfiles der einzelnen Schritte.

Aus Schritt 1:
Logfile von OTL:

Code:
ATTFilter
All processes killed
========== OTL ==========
HKU\S-1-5-21-2422886476-3853793481-2147584669-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-2422886476-3853793481-2147584669-1003\Software\Microsoft\Windows\CurrentVersion\Run\\Naugzue deleted successfully.
Unable to delete ADS C:\Users\Ursula Gnas\Anmeldung_Auftrag DP11645686 - Kunde_Gnas, UrsulaBerlin.eml:OECustomProperty .
ADS C:\Users\Ursula Gnas\Documents\Re_ Überweisung und Vorschlag bzgl_ weiterem Vorgehen.eml:OECustomProperty deleted successfully.
ADS C:\ProgramData\Temp:6FD3C973 deleted successfully.
C:\Users\Bernhard\AppData\Roaming\159485 folder moved successfully.
========== FILES ==========
File\Folder C:\ProgramData\*.exe not found.
File\Folder C:\ProgramData\*.dll not found.
File\Folder C:\ProgramData\*.tmp not found.
C:\ProgramData\TEMP folder moved successfully.
File\Folder C:\Users\Bernhard\*.tmp not found.
C:\Users\Bernhard\AppData\Local\{ACC50D5B-03AF-4784-B1C4-A29605A796A7} moved successfully.
C:\Users\Bernhard\AppData\Local\Temp\00012a88.exe moved successfully.
C:\Users\Bernhard\AppData\Local\Temp\000992ec.exe moved successfully.
C:\Users\Bernhard\AppData\Local\Temp\000efc67.exe moved successfully.
C:\Users\Bernhard\AppData\Local\Temp\000f2d75.exe moved successfully.
C:\Users\Bernhard\AppData\Local\Temp\000f5502.exe moved successfully.
C:\Users\Bernhard\AppData\Local\Temp\000f7500.exe moved successfully.
C:\Users\Bernhard\AppData\Local\Temp\0012b7ca.exe moved successfully.
C:\Users\Bernhard\AppData\Local\Temp\00130618.exe moved successfully.
C:\Users\Bernhard\AppData\Local\Temp\tmp1f9fb75d.exe moved successfully.
C:\Users\Bernhard\AppData\Local\Temp\tmpf856c024.exe moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\tmp folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\muffin folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\host folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache\6.0 folder moved successfully.
C:\Users\Bernhard\AppData\LocalLow\Sun\Java\Deployment\cache folder moved successfully.
File/Folder C:\Users\Ursula Gnas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk not found.
< ipconfig /flushdns /c >
Windows-IP-Konfiguration
Der DNS-Aufl”sungscache wurde geleert.
C:\Users\Verena\Desktop\cmd.bat deleted successfully.
C:\Users\Verena\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Bernhard
->Temp folder emptied: 37656458 bytes
->Temporary Internet Files folder emptied: 76793202 bytes
->FireFox cache emptied: 51959666 bytes
->Opera cache emptied: 5675887 bytes
->Flash cache emptied: 0 bytes
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56466 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Public
 
User: Ursula Gnas
->Temp folder emptied: 222716801 bytes
->Temporary Internet Files folder emptied: 201155689 bytes
->Java cache emptied: 6511356 bytes
->FireFox cache emptied: 34729585 bytes
->Opera cache emptied: 99728217 bytes
->Flash cache emptied: 70810 bytes
 
User: Verena
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 73222949 bytes
->Java cache emptied: 2020740 bytes
->FireFox cache emptied: 63810093 bytes
->Opera cache emptied: 54673026 bytes
->Flash cache emptied: 2896848 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 307522574 bytes
RecycleBin emptied: 1059537976 bytes
 
Total Files Cleaned = 2,194.00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 11152012_164430
         
Aus Schritt 2:
Logfile von Malwarebytes:

Code:
ATTFilter
Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Datenbank Version: v2012.11.15.05

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Ursula Gnas :: URSULAGNAS-PC [Administrator]

15.11.2012 17:16:49
mbam-log-2012-11-15 (17-16-49).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 449718
Laufzeit: 2 Stunde(n), 38 Minute(n), 38 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 19
C:\Program Files\VDownloader\VDownloader.exe (Trojan.Downloader) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\ProgramData\HappyCloud\Application\hcwebwindow.exe (Trojan.FakeAlert) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Bernhard\Local Settings\Temp\msasviik.scr (Spyware.Zeus) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Bernhard\Local Settings\Temp\msayua.exe (Spyware.Zeus) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Bernhard\Local Settings\Temp\msbamyl.com (Backdoor.Agent.RS) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Bernhard\Local Settings\Temp\mswksa.exe (Trojan.Ransom) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Verena\AppData\Local\Programs\Opera\SoftonicDownloader_fuer_osmos.exe (PUP.OfferBundler.ST) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Verena\AppData\Roaming\Desktopicon\eBayShortcuts.exe (Adware.ADON) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\_OTL\MovedFiles\11152012_164430\C_Users\Bernhard\AppData\Local\Temp\00012a88.exe (Backdoor.Agent.RS) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\_OTL\MovedFiles\11152012_164430\C_Users\Bernhard\AppData\Local\Temp\000992ec.exe (Spyware.Zeus) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\_OTL\MovedFiles\11152012_164430\C_Users\Bernhard\AppData\Local\Temp\000efc67.exe (Spyware.Zeus) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\_OTL\MovedFiles\11152012_164430\C_Users\Bernhard\AppData\Local\Temp\000f2d75.exe (Trojan.Ransom) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\_OTL\MovedFiles\11152012_164430\C_Users\Bernhard\AppData\Local\Temp\000f5502.exe (Rootkit.0Access) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\_OTL\MovedFiles\11152012_164430\C_Users\Bernhard\AppData\Local\Temp\00130618.exe (Trojan.Ransom) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\_OTL\MovedFiles\11152012_164430\C_Users\Bernhard\AppData\Local\Temp\tmp1f9fb75d.exe (Spyware.Zeus) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\_OTL\MovedFiles\11152012_164430\C_Users\Bernhard\AppData\Roaming\159485\159485.exe (Trojan.Ransom) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Verena\AppData\Roaming\avdrn.dat (Malware.Trace) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\ProgramData\sysReserve.ini (Malware.Trace) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Program Files\Mozilla Firefox\plugins\npmieze.dll (PUP.LoadTubes) -> Erfolgreich gelöscht und in Quarantäne gestellt.

(Ende)
         
Aus Schritt 3:
Logfile von AdwCleaner[R1]:

Code:
ATTFilter
# AdwCleaner v2.007 - Datei am 15/11/2012 um 20:07:31 erstellt
# Aktualisiert am 06/11/2012 von Xplode
# Betriebssystem : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
# Benutzer : Ursula Gnas - URSULAGNAS-PC
# Bootmodus : Normal
# Ausgeführt unter : C:\Users\Verena\Desktop\adwcleaner.exe
# Option [Suche]


**** [Dienste] ****


***** [Dateien / Ordner] *****

Datei Gefunden : C:\Program Files\Mozilla Firefox\.autoreg
Datei Gefunden : C:\Program Files\Mozilla Firefox\searchplugins\SearchResults.xml
Datei Gefunden : C:\Users\Ursula Gnas\AppData\Roaming\Mozilla\Firefox\Profiles\qxrfus66.default\searchplugins\icqplugin.xml
Datei Gefunden : C:\Users\Ursula Gnas\AppData\Roaming\Mozilla\Firefox\Profiles\qxrfus66.default\searchplugins\SearchResults.xml
Datei Gefunden : C:\Users\Verena\AppData\Roaming\Mozilla\Firefox\Profiles\6xk6z9op.default\searchplugins\icqplugin.xml
Ordner Gefunden : C:\Program Files\Common Files\Plasmoo
Ordner Gefunden : C:\Program Files\Conduit
Ordner Gefunden : C:\Program Files\ICQ6Toolbar
Ordner Gefunden : C:\Program Files\Ilivid
Ordner Gefunden : C:\Program Files\Stardoll
Ordner Gefunden : C:\Program Files\Windows Searchqu Toolbar
Ordner Gefunden : C:\ProgramData\boost_interprocess
Ordner Gefunden : C:\ProgramData\ICQ\ICQToolbar
Ordner Gefunden : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ilivid
Ordner Gefunden : C:\ProgramData\Trymedia
Ordner Gefunden : C:\Users\Bernhard\AppData\LocalLow\Conduit
Ordner Gefunden : C:\Users\Bernhard\AppData\LocalLow\ConduitEngine
Ordner Gefunden : C:\Users\Bernhard\AppData\LocalLow\searchquband
Ordner Gefunden : C:\Users\Bernhard\AppData\LocalLow\Searchqutoolbar
Ordner Gefunden : C:\Users\Bernhard\AppData\LocalLow\Stardoll
Ordner Gefunden : C:\Users\Bernhard\AppData\Roaming\Mozilla\Firefox\Profiles\paniajst.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}
Ordner Gefunden : C:\Users\Bernhard\AppData\Roaming\Mozilla\Firefox\Profiles\paniajst.default\Searchqutoolbar
Ordner Gefunden : C:\Users\Ursula Gnas\AppData\Local\Conduit
Ordner Gefunden : C:\Users\Ursula Gnas\AppData\LocalLow\Conduit
Ordner Gefunden : C:\Users\Ursula Gnas\AppData\LocalLow\ConduitEngine
Ordner Gefunden : C:\Users\Ursula Gnas\AppData\LocalLow\searchquband
Ordner Gefunden : C:\Users\Ursula Gnas\AppData\LocalLow\Searchqutoolbar
Ordner Gefunden : C:\Users\Ursula Gnas\AppData\LocalLow\Stardoll
Ordner Gefunden : C:\Users\Ursula Gnas\AppData\LocalLow\Veoh_Web_Player
Ordner Gefunden : C:\Users\Ursula Gnas\AppData\Roaming\Mozilla\Firefox\Profiles\qxrfus66.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}
Ordner Gefunden : C:\Users\Ursula Gnas\AppData\Roaming\Mozilla\Firefox\Profiles\qxrfus66.default\Searchqutoolbar
Ordner Gefunden : C:\Users\Verena\AppData\Local\Ilivid Player
Ordner Gefunden : C:\Users\Verena\AppData\LocalLow\Conduit
Ordner Gefunden : C:\Users\Verena\AppData\LocalLow\searchquband
Ordner Gefunden : C:\Users\Verena\AppData\LocalLow\Searchqutoolbar
Ordner Gefunden : C:\Users\Verena\AppData\LocalLow\Stardoll
Ordner Gefunden : C:\Users\Verena\AppData\LocalLow\Veoh_Web_Player
Ordner Gefunden : C:\Users\Verena\AppData\Roaming\Desktopicon
Ordner Gefunden : C:\Users\Verena\AppData\Roaming\Mozilla\Firefox\Profiles\6xk6z9op.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}
Ordner Gefunden : C:\Users\Verena\AppData\Roaming\Mozilla\Firefox\Profiles\6xk6z9op.default\Searchqutoolbar

***** [Registrierungsdatenbank] *****

Daten Gefunden : HKLM\..\Windows [AppInit_DLLs] = C:\PROGRA~1\WI9130~1\Datamngr\datamngr.dll
Daten Gefunden : HKLM\..\Windows [AppInit_DLLs] = C:\PROGRA~1\WI9130~1\Datamngr\IEBHO.dll
Schlüssel Gefunden : HKCU\Software\AppDataLow\Software\Conduit
Schlüssel Gefunden : HKCU\Software\AppDataLow\Software\searchqutoolbar
Schlüssel Gefunden : HKCU\Software\AppDataLow\Software\SmartBar
Schlüssel Gefunden : HKCU\Software\AppDataLow\Software\Stardoll
Schlüssel Gefunden : HKCU\Software\AppDataLow\Software\Veoh_Web_Player
Schlüssel Gefunden : HKCU\Software\AppDataLow\Toolbar
Schlüssel Gefunden : HKCU\Software\DataMngr
Schlüssel Gefunden : HKCU\Software\ilivid
Schlüssel Gefunden : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6552C7DD-90A4-4387-B795-F8F96747DE19}
Schlüssel Gefunden : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2414}
Schlüssel Gefunden : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Schlüssel Gefunden : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{192A6019-26D2-4611-AEAD-07CD7733B146}
Schlüssel Gefunden : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Schlüssel Gefunden : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9D717F81-9148-4F12-8568-69135F087DB0}
Schlüssel Gefunden : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{CD90BF73-20F6-44EF-993D-BB920303BD2E}
Schlüssel Gefunden : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{192A6019-26D2-4611-AEAD-07CD7733B146}
Schlüssel Gefunden : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{63267E32-A9AA-475C-9308-E65E044CA142}
Schlüssel Gefunden : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Schlüssel Gefunden : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9D717F81-9148-4F12-8568-69135F087DB0}
Schlüssel Gefunden : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CD90BF73-20F6-44EF-993D-BB920303BD2E}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\CLSID\{192A6019-26D2-4611-AEAD-07CD7733B146}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\CLSID\{3BF72F68-72D8-461D-A884-329D936C5581}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\CLSID\{63267E32-A9AA-475C-9308-E65E044CA142}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\CLSID\{78E9D883-93CD-4072-BEF3-38EE581E2839}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\CLSID\{83AC1413-FCE4-4A46-9DD5-4F31F306E71F}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\CLSID\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\CLSID\{9D717F81-9148-4F12-8568-69135F087DB0}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4CA8-A185-8FF989AF1115}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\CLSID\{CD90BF73-20F6-44EF-993D-BB920303BD2E}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\CLSID\{FEFD3AF5-A346-4451-AA23-A3AD54915515}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Conduit.Engine
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard.1
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Toolbar.CT2474641
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Toolbar.CT2653012
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Toolbar.CT2836015
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\TypeLib\{5B4144E1-B61D-495A-9A50-CD1A95D86D15}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\TypeLib\{841D5A49-E48D-413C-9C28-EB3D9081D705}
Schlüssel Gefunden : HKLM\Software\Conduit
Schlüssel Gefunden : HKLM\Software\DataMngr
Schlüssel Gefunden : HKLM\Software\ilivid
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{054E2ACE-D6FB-4C88-9A77-AD31177CF04B}
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{20AFC78E-BCC6-412E-BCF6-23ADF5CA32B5}
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C26DD60-EF6B-43B5-8FEF-5D7ED4B53111}
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3AAAB438-371B-430B-BAAF-DD67D9F5A4A7}
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2414}
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{192A6019-26D2-4611-AEAD-07CD7733B146}
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D717F81-9148-4F12-8568-69135F087DB0}
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CD90BF73-20F6-44EF-993D-BB920303BD2E}
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63267E32-A9AA-475C-9308-E65E044CA142}
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ilivid
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Searchqu 0 MediaBar
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Stardoll Toolbar
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Veoh_Web_Player Toolbar
Schlüssel Gefunden : HKLM\Software\SearchquMediabarTb
Schlüssel Gefunden : HKLM\Software\Stardoll
Schlüssel Gefunden : HKLM\Software\Veoh_Web_Player
Schlüssel Gefunden : HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\Software\Microsoft\Internet Explorer\SearchScopes\{6552C7DD-90A4-4387-B795-F8F96747DE19}
Schlüssel Gefunden : HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2414}
Schlüssel Gefunden : HKU\S-1-5-21-2422886476-3853793481-2147584669-1003\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Wert Gefunden : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{192A6019-26D2-4611-AEAD-07CD7733B146}]
Wert Gefunden : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{CD90BF73-20F6-44EF-993D-BB920303BD2E}]
Wert Gefunden : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{192A6019-26D2-4611-AEAD-07CD7733B146}]
Wert Gefunden : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{CD90BF73-20F6-44EF-993D-BB920303BD2E}]
Wert Gefunden : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{192A6019-26D2-4611-AEAD-07CD7733B146}]
Wert Gefunden : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{99079A25-328F-4BD4-BE04-00955ACAA0A7}]
Wert Gefunden : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{CD90BF73-20F6-44EF-993D-BB920303BD2E}]
Wert Gefunden : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{192A6019-26D2-4611-AEAD-07CD7733B146}]
Wert Gefunden : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{CD90BF73-20F6-44EF-993D-BB920303BD2E}]
Wert Gefunden : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [DataMngr]

***** [Internet Browser] *****

-\\ Internet Explorer v9.0.8112.16421

[HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://www.searchqu.com/414
[HKCU\Software\Microsoft\Internet Explorer\Main - ICQ Search] = hxxp://www.icq.com/search/results.php?q={searchTerms}&ch_id=osd

-\\ Mozilla Firefox v3.5.7 (de)

Profilname : default 
Datei : C:\Users\Ursula Gnas\AppData\Roaming\Mozilla\Firefox\Profiles\qxrfus66.default\prefs.js

Gefunden : user_pref("browser.startup.homepage", "hxxp://www.searchqu.com/414");
Gefunden : user_pref("keyword.URL", "hxxp://www.finduny.com?client=mozilla-firefox&cd=UTF-8&search=1&q=");

Profilname : default 
Datei : C:\Users\Bernhard\AppData\Roaming\Mozilla\Firefox\Profiles\paniajst.default\prefs.js

[OK] Die Datei ist sauber.

Profilname : default 
Datei : C:\Users\Verena\AppData\Roaming\Mozilla\Firefox\Profiles\6xk6z9op.default\prefs.js

Gefunden : user_pref("keyword.URL", "hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=");

-\\ Opera v12.10.1652.0

Datei : C:\Users\Ursula Gnas\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] Die Datei ist sauber.

Datei : C:\Users\Bernhard\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] Die Datei ist sauber.

Datei : C:\Users\Verena\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] Die Datei ist sauber.

*************************

AdwCleaner[R1].txt - [12516 octets] - [15/11/2012 20:07:31]

########## EOF - C:\AdwCleaner[R1].txt - [12577 octets] ##########
         
Aus Schritt 4:
Logfile von AdwCleaner[S1]:

Code:
ATTFilter
# AdwCleaner v2.007 - Datei am 15/11/2012 um 20:11:34 erstellt
# Aktualisiert am 06/11/2012 von Xplode
# Betriebssystem : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
# Benutzer : Ursula Gnas - URSULAGNAS-PC
# Bootmodus : Normal
# Ausgeführt unter : C:\Users\Verena\Desktop\adwcleaner.exe
# Option [Löschen]


**** [Dienste] ****


***** [Dateien / Ordner] *****

Datei Gelöscht : C:\Program Files\Mozilla Firefox\.autoreg
Datei Gelöscht : C:\Program Files\Mozilla Firefox\searchplugins\SearchResults.xml
Datei Gelöscht : C:\Users\Ursula Gnas\AppData\Roaming\Mozilla\Firefox\Profiles\qxrfus66.default\searchplugins\icqplugin.xml
Datei Gelöscht : C:\Users\Ursula Gnas\AppData\Roaming\Mozilla\Firefox\Profiles\qxrfus66.default\searchplugins\SearchResults.xml
Datei Gelöscht : C:\Users\Verena\AppData\Roaming\Mozilla\Firefox\Profiles\6xk6z9op.default\searchplugins\icqplugin.xml
Gelöscht mit Neustart : C:\Program Files\Windows Searchqu Toolbar
Ordner Gelöscht : C:\Program Files\Common Files\Plasmoo
Ordner Gelöscht : C:\Program Files\Conduit
Ordner Gelöscht : C:\Program Files\ICQ6Toolbar
Ordner Gelöscht : C:\Program Files\Ilivid
Ordner Gelöscht : C:\Program Files\Stardoll
Ordner Gelöscht : C:\ProgramData\boost_interprocess
Ordner Gelöscht : C:\ProgramData\ICQ\ICQToolbar
Ordner Gelöscht : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ilivid
Ordner Gelöscht : C:\ProgramData\Trymedia
Ordner Gelöscht : C:\Users\Bernhard\AppData\LocalLow\Conduit
Ordner Gelöscht : C:\Users\Bernhard\AppData\LocalLow\ConduitEngine
Ordner Gelöscht : C:\Users\Bernhard\AppData\LocalLow\searchquband
Ordner Gelöscht : C:\Users\Bernhard\AppData\LocalLow\Searchqutoolbar
Ordner Gelöscht : C:\Users\Bernhard\AppData\LocalLow\Stardoll
Ordner Gelöscht : C:\Users\Bernhard\AppData\Roaming\Mozilla\Firefox\Profiles\paniajst.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}
Ordner Gelöscht : C:\Users\Bernhard\AppData\Roaming\Mozilla\Firefox\Profiles\paniajst.default\Searchqutoolbar
Ordner Gelöscht : C:\Users\Ursula Gnas\AppData\Local\Conduit
Ordner Gelöscht : C:\Users\Ursula Gnas\AppData\LocalLow\Conduit
Ordner Gelöscht : C:\Users\Ursula Gnas\AppData\LocalLow\ConduitEngine
Ordner Gelöscht : C:\Users\Ursula Gnas\AppData\LocalLow\searchquband
Ordner Gelöscht : C:\Users\Ursula Gnas\AppData\LocalLow\Searchqutoolbar
Ordner Gelöscht : C:\Users\Ursula Gnas\AppData\LocalLow\Stardoll
Ordner Gelöscht : C:\Users\Ursula Gnas\AppData\LocalLow\Veoh_Web_Player
Ordner Gelöscht : C:\Users\Ursula Gnas\AppData\Roaming\Mozilla\Firefox\Profiles\qxrfus66.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}
Ordner Gelöscht : C:\Users\Ursula Gnas\AppData\Roaming\Mozilla\Firefox\Profiles\qxrfus66.default\Searchqutoolbar
Ordner Gelöscht : C:\Users\Verena\AppData\Local\Ilivid Player
Ordner Gelöscht : C:\Users\Verena\AppData\LocalLow\Conduit
Ordner Gelöscht : C:\Users\Verena\AppData\LocalLow\searchquband
Ordner Gelöscht : C:\Users\Verena\AppData\LocalLow\Searchqutoolbar
Ordner Gelöscht : C:\Users\Verena\AppData\LocalLow\Stardoll
Ordner Gelöscht : C:\Users\Verena\AppData\LocalLow\Veoh_Web_Player
Ordner Gelöscht : C:\Users\Verena\AppData\Roaming\Desktopicon
Ordner Gelöscht : C:\Users\Verena\AppData\Roaming\Mozilla\Firefox\Profiles\6xk6z9op.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}
Ordner Gelöscht : C:\Users\Verena\AppData\Roaming\Mozilla\Firefox\Profiles\6xk6z9op.default\Searchqutoolbar

***** [Registrierungsdatenbank] *****

Daten Gelöscht : HKLM\..\Windows [AppInit_DLLs] = C:\PROGRA~1\WI9130~1\Datamngr\datamngr.dll
Daten Gelöscht : HKLM\..\Windows [AppInit_DLLs] = C:\PROGRA~1\WI9130~1\Datamngr\IEBHO.dll
Schlüssel Gelöscht : HKCU\Software\AppDataLow\Software\Conduit
Schlüssel Gelöscht : HKCU\Software\AppDataLow\Software\searchqutoolbar
Schlüssel Gelöscht : HKCU\Software\AppDataLow\Software\SmartBar
Schlüssel Gelöscht : HKCU\Software\AppDataLow\Software\Stardoll
Schlüssel Gelöscht : HKCU\Software\AppDataLow\Software\Veoh_Web_Player
Schlüssel Gelöscht : HKCU\Software\AppDataLow\Toolbar
Schlüssel Gelöscht : HKCU\Software\DataMngr
Schlüssel Gelöscht : HKCU\Software\ilivid
Schlüssel Gelöscht : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6552C7DD-90A4-4387-B795-F8F96747DE19}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2414}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{192A6019-26D2-4611-AEAD-07CD7733B146}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9D717F81-9148-4F12-8568-69135F087DB0}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{CD90BF73-20F6-44EF-993D-BB920303BD2E}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{192A6019-26D2-4611-AEAD-07CD7733B146}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{63267E32-A9AA-475C-9308-E65E044CA142}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9D717F81-9148-4F12-8568-69135F087DB0}
Schlüssel Gelöscht : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CD90BF73-20F6-44EF-993D-BB920303BD2E}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{192A6019-26D2-4611-AEAD-07CD7733B146}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{3BF72F68-72D8-461D-A884-329D936C5581}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{63267E32-A9AA-475C-9308-E65E044CA142}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{78E9D883-93CD-4072-BEF3-38EE581E2839}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{83AC1413-FCE4-4A46-9DD5-4F31F306E71F}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{9D717F81-9148-4F12-8568-69135F087DB0}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4CA8-A185-8FF989AF1115}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{CD90BF73-20F6-44EF-993D-BB920303BD2E}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{FEFD3AF5-A346-4451-AA23-A3AD54915515}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Conduit.Engine
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard.1
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Toolbar.CT2474641
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Toolbar.CT2653012
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Toolbar.CT2836015
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{5B4144E1-B61D-495A-9A50-CD1A95D86D15}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{841D5A49-E48D-413C-9C28-EB3D9081D705}
Schlüssel Gelöscht : HKLM\Software\Conduit
Schlüssel Gelöscht : HKLM\Software\DataMngr
Schlüssel Gelöscht : HKLM\Software\ilivid
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{054E2ACE-D6FB-4C88-9A77-AD31177CF04B}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{20AFC78E-BCC6-412E-BCF6-23ADF5CA32B5}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C26DD60-EF6B-43B5-8FEF-5D7ED4B53111}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3AAAB438-371B-430B-BAAF-DD67D9F5A4A7}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2414}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{192A6019-26D2-4611-AEAD-07CD7733B146}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D717F81-9148-4F12-8568-69135F087DB0}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CD90BF73-20F6-44EF-993D-BB920303BD2E}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63267E32-A9AA-475C-9308-E65E044CA142}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ilivid
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Searchqu 0 MediaBar
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Stardoll Toolbar
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Veoh_Web_Player Toolbar
Schlüssel Gelöscht : HKLM\Software\SearchquMediabarTb
Schlüssel Gelöscht : HKLM\Software\Stardoll
Schlüssel Gelöscht : HKLM\Software\Veoh_Web_Player
Wert Gelöscht : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{192A6019-26D2-4611-AEAD-07CD7733B146}]
Wert Gelöscht : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{CD90BF73-20F6-44EF-993D-BB920303BD2E}]
Wert Gelöscht : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{192A6019-26D2-4611-AEAD-07CD7733B146}]
Wert Gelöscht : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{CD90BF73-20F6-44EF-993D-BB920303BD2E}]
Wert Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{192A6019-26D2-4611-AEAD-07CD7733B146}]
Wert Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{99079A25-328F-4BD4-BE04-00955ACAA0A7}]
Wert Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{CD90BF73-20F6-44EF-993D-BB920303BD2E}]
Wert Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{192A6019-26D2-4611-AEAD-07CD7733B146}]
Wert Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{CD90BF73-20F6-44EF-993D-BB920303BD2E}]
Wert Gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [DataMngr]

***** [Internet Browser] *****

-\\ Internet Explorer v9.0.8112.16421

Ersetzt : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://www.searchqu.com/414 --> hxxp://www.google.com
Ersetzt : [HKCU\Software\Microsoft\Internet Explorer\Main - ICQ Search] = hxxp://www.icq.com/search/results.php?q={searchTerms}&ch_id=osd --> hxxp://www.google.com

-\\ Mozilla Firefox v3.5.7 (de)

Profilname : default 
Datei : C:\Users\Ursula Gnas\AppData\Roaming\Mozilla\Firefox\Profiles\qxrfus66.default\prefs.js

C:\Users\Ursula Gnas\AppData\Roaming\Mozilla\Firefox\Profiles\qxrfus66.default\user.js ... Gelöscht !

Gelöscht : user_pref("browser.startup.homepage", "hxxp://www.searchqu.com/414");
Gelöscht : user_pref("keyword.URL", "hxxp://www.finduny.com?client=mozilla-firefox&cd=UTF-8&search=1&q=");

Profilname : default 
Datei : C:\Users\Bernhard\AppData\Roaming\Mozilla\Firefox\Profiles\paniajst.default\prefs.js

C:\Users\Bernhard\AppData\Roaming\Mozilla\Firefox\Profiles\paniajst.default\user.js ... Gelöscht !

[OK] Die Datei ist sauber.

Profilname : default 
Datei : C:\Users\Verena\AppData\Roaming\Mozilla\Firefox\Profiles\6xk6z9op.default\prefs.js

Gelöscht : user_pref("keyword.URL", "hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=");

-\\ Opera v12.10.1652.0

Datei : C:\Users\Ursula Gnas\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] Die Datei ist sauber.

Datei : C:\Users\Bernhard\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] Die Datei ist sauber.

Datei : C:\Users\Verena\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] Die Datei ist sauber.

*************************

AdwCleaner[R1].txt - [12647 octets] - [15/11/2012 20:07:31]
AdwCleaner[S1].txt - [12378 octets] - [15/11/2012 20:11:34]

########## EOF - C:\AdwCleaner[S1].txt - [12439 octets] ##########
         
__________________

Alt 15.11.2012, 21:31   #4
t'john
/// Helfer-Team
 
Computer von FBI Ransomware befallen - Standard

Computer von FBI Ransomware befallen



Scan mit Malwarebytes' Anti-Rootkit
Download: Download - Malwarebytes Anti-Rootkit BETA

Anleitung: http://www.trojaner-board.de/126981-...tml#post956070
__________________
Mfg, t'john
Das TB unterstützen

Alt 16.11.2012, 17:13   #5
MrsLazuli
 
Computer von FBI Ransomware befallen - Standard

Computer von FBI Ransomware befallen



Habe den Scan durchgeführt.

Code:
ATTFilter
Malwarebytes Anti-Rootkit 1.1.0.1009
www.malwarebytes.org

Database version: v2012.11.16.06

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Ursula Gnas :: URSULAGNAS-PC [administrator]

16.11.2012 16:45:10
mbar-log-2012-11-16 (16-45-10).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: PUP | PUM | P2P
Objects scanned: 28758
Time elapsed: 40 minute(s), 39 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 3
C:\$RECYCLE.BIN\S-1-5-21-2422886476-3853793481-2147584669-1004\$ffa0c07045ca02c8fa878ebd0f79cb8c\U (Trojan.Siredef.C) -> Delete on reboot. [8e63585f8cd147efc8dc05fbb64aba46]
C:\$RECYCLE.BIN\S-1-5-21-2422886476-3853793481-2147584669-1004\$ffa0c07045ca02c8fa878ebd0f79cb8c\L (Trojan.Siredef.C) -> Delete on reboot. [17da34832f2e06305b4bca36ff0134cc]
C:\$RECYCLE.BIN\S-1-5-21-2422886476-3853793481-2147584669-1004\$ffa0c07045ca02c8fa878ebd0f79cb8c (Trojan.Siredef.C) -> Delete on reboot. [4ea39d1a421b3df93a6d31cf837da858]

Files Detected: 1
C:\$RECYCLE.BIN\S-1-5-21-2422886476-3853793481-2147584669-1004\$ffa0c07045ca02c8fa878ebd0f79cb8c\@ (Trojan.Siredef.C) -> Delete on reboot. [d8199126a3ba3402eeb331cfe51bf40c]

(end)
         
Vielen Dank, nochmal.


Alt 16.11.2012, 20:31   #6
t'john
/// Helfer-Team
 
Computer von FBI Ransomware befallen - Standard

Computer von FBI Ransomware befallen



Malware mit Combofix beseitigen

Lade Combofix von einem der folgenden Download-Spiegel herunter:

BleepingComputer.com - ForoSpyware.com

und speichere das Programm auf den Desktop, nicht woanders hin, das ist wichtig!
Beachte die ausführliche Original-Anleitung.

Zurzeit ist Combofix auf folgenden Windows-Versionen lauffähig:
  • Windows XP (nur 32-bit)
  • Windows Vista (32-bit/64-bit)
  • Windows 7 (32-bit/64-bit)


Vorbereitung und wichtige Hinweise

  • Bitte während des Scans mit Combofix Antiviren- sowie Antispy-Programme, die Firewall und evtl. vorhandenes Skript-Blocking (Norton) deaktivieren.
  • Liste der zu deaktivierenden Programme.
    Bei Unklarheiten bitte fragen.


  • ComboFix wird Deine Einstellungen in Bezug auf den Bildschirmschoner zurücksetzen.
  • Diese Einstellungen kannst Du nach Beendigung unserer Bereinigung wieder ändern.
  • Mache nichts anderes, wenn es Dir nicht gelungen ist, Combofix laufen zu lassen.
  • Teile uns das mit und warte auf unsere Anweisungen.


  • Starte die Combofix.exe mit Rechtsklick => Als Administrator ausführen und folge den Anweisungen.
  • Während des Laufs von Combofix nichts anderes am Computer machen!
  • Akzeptiere die Bedingungen (Disclaimer) mit "Ja".


  • Sollte Combofix eine aktuellere Version anbieten, Downlaod erlauben.
  • Klicke "Ja", um mit dem Suchlauf nach Malware fortzufahren.
  • Es erscheint eine blaue Eingabeaufforderung, Combofix wird für den Suchlauf vorbereitet.
  • Bitte nicht in dieses Combofix-Fenster klicken.
  • Das könnte Dein System einfrieren oder hängen bleiben lassen.
  • Es wird ein Backup Deiner Registry erstellt.
  • Nun werden die einzelnen Stufen des Programms abgearbeitet, das kann eine Weile dauern.


  • Wenn ComboFix fertig ist, wird es ein Log erstellen (bitte warten, das dauert einen Moment).
  • Unbedingt warten, bis sich das Combofix-Fenster geschlossen hat und das Logfile im Editor erscheint.
  • Bitte poste die Log-Dateien C:\ComboFix.txt und C:\Qoobox\Add-Remove Programs.txt in Code-Tags hier in den Thread.


  • Hinweis: Combofix macht aus verschiedenen Gründen den Internet Explorer zum Standard-Browser und erstellt ein IE-Icon auf dem Desktop.
  • Das IE-Desktop-Icon kannst Du nach der Bereinigung wieder löschen und Deinen bevorzugten Browser wieder als Standard-Browser einstellen.



Combofix nicht auf eigene Faust einsetzen. Wenn keine entsprechende Infektion vorliegt, kann das den Rechner lahmlegen und/oder nachhaltig schädigen!
__________________
--> Computer von FBI Ransomware befallen

Alt 17.11.2012, 12:33   #7
MrsLazuli
 
Computer von FBI Ransomware befallen - Standard

Computer von FBI Ransomware befallen



Combofix funktioniert leider nicht. Habe alles genau nach Anweisunf gemacht, aber nach dem Suchlauf kommt in der blaue Eingabeaufforderung die Meldung:
"Failed to get data for "EnableLUA".
Versuche, einen neuen Systemwiederherstellungspunkt zu erstellen."

Obwohl ich alle Antiviren- und Antispy-Programme nach der Anweisung
ausgeschaltet habe. Auch habe ich den Computer dann mal Neu gestartet, danach kam aber genau das gleiche. Woran kann das liegen?

Alt 17.11.2012, 16:41   #8
t'john
/// Helfer-Team
 
Computer von FBI Ransomware befallen - Standard

Computer von FBI Ransomware befallen



Windows Repair Tool (AIO)

  • Downloade Windows repair tool
  • Entpacke das Zip und starte Repair_Windows.exe
  • Klicke auf Start repairs Tab dann: Start

    folgende Punkte auswählen

    Register System Files
    Repair WMI
    Repair Windows Updates
    Set Windows Services To Default Startup


    Auswählen: Restart System When Finished
    Dann Start Button klicken.



dann nochmal versuchen
__________________
Mfg, t'john
Das TB unterstützen

Alt 19.11.2012, 14:53   #9
MrsLazuli
 
Computer von FBI Ransomware befallen - Standard

Computer von FBI Ransomware befallen



Habe es gemacht. Immmer noch das gleiche Problem.

Alt 19.11.2012, 16:00   #10
t'john
/// Helfer-Team
 
Computer von FBI Ransomware befallen - Standard

Computer von FBI Ransomware befallen



Rechner neustarten, Combofix loeschen und neu runterladen.
__________________
Mfg, t'john
Das TB unterstützen

Alt 23.11.2012, 17:02   #11
MrsLazuli
 
Computer von FBI Ransomware befallen - Standard

Computer von FBI Ransomware befallen



Weiß nicht mehr weiter. Habe das jetzt schon X-Mal gmeacht. Es funktioniert aber einfach nicht wird immer das gleiche angezeigt. =/

Alt 24.11.2012, 06:53   #12
t'john
/// Helfer-Team
 
Computer von FBI Ransomware befallen - Standard

Computer von FBI Ransomware befallen



Systemscan mit OTL (bebilderte Anleitung)

Lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop ( falls noch nicht vorhanden)- Doppelklick auf die OTL.exe

  • Vista und Win7 User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen
  • Wähle Scanne Alle Benuzer
  • Oben findest Du ein Kästchen mit Ausgabe. Wähle bitte Minimale Ausgabe
  • Unter Extra Registrierung, wähle bitte Benutze SafeList
  • Klicke nun auf Scan links oben
  • Wenn der Scan beendet wurde werden 2 Logfiles erstellt
  • Poste die Logfiles hier in den Thread.
__________________
Mfg, t'john
Das TB unterstützen

Alt 19.01.2013, 16:37   #13
t'john
/// Helfer-Team
 
Computer von FBI Ransomware befallen - Standard

Computer von FBI Ransomware befallen



Fehlende Rückmeldung

Gibt es Probleme beim Abarbeiten obiger Anleitung?

Um Kapazitäten für andere Hilfesuchende freizumachen, lösche ich dieses Thema aus meinen Benachrichtigungen.

Solltest Du weitermachen wollen, schreibe mir eine PN oder eröffne ein neues Thema.
http://www.trojaner-board.de/69886-a...-beachten.html


Hinweis: Das Verschwinden der Symptome bedeutet nicht, dass Dein Rechner sauber ist.
__________________
Mfg, t'john
Das TB unterstützen

Antwort

Themen zu Computer von FBI Ransomware befallen
32 bit, adware.adon, antivir, auftrag, backdoor.agent.rs, bandoo, bonjour, desktop, dubios, ebay.de, hotkey.sys, install.exe, internet, kunde, launch, limewire, lösegeld-trojaner, malware.trace, moneypak, office 2007, officejet, pup.loadtubes, pup.offerbundler.st, ransomware, realtek, rootkit.0access, security, sketchup, software, spyware.zeus, super, svchost.exe, symantec, trojan.downloader, trojan.fakealert, trojan.ransom, trojan.siredef.c, vista



Ähnliche Themen: Computer von FBI Ransomware befallen


  1. Auf meinem Server wird meine webseite befallen, evtl. liegt das an meinem Computer / Befall?
    Plagegeister aller Art und deren Bekämpfung - 02.05.2014 (27)
  2. [IMINENT] Browser befallen, Programm unerklärlich auf Computer installiert
    Plagegeister aller Art und deren Bekämpfung - 14.10.2013 (5)
  3. Computer ist von dem GVU Trojaner befallen
    Log-Analyse und Auswertung - 27.07.2013 (3)
  4. system care antivirus hat den Computer befallen
    Log-Analyse und Auswertung - 03.05.2013 (28)
  5. Ransomware auf meinem PC :(
    Plagegeister aller Art und deren Bekämpfung - 02.10.2012 (10)
  6. BKA-Variante "Der computer ist für die Verletzung..." hat meinen Computer befallen!
    Log-Analyse und Auswertung - 15.08.2012 (15)
  7. Ransomware entfernen, Der Computer ist für die Verletzung...
    Plagegeister aller Art und deren Bekämpfung - 08.08.2012 (13)
  8. Computer befallen von Spyware
    Log-Analyse und Auswertung - 23.07.2012 (1)
  9. Commerzbank Trojaner - Warten Sie bis Ihrer Computer identifiziert wurde-hat mich auch befallen
    Plagegeister aller Art und deren Bekämpfung - 15.12.2011 (4)
  10. TR/ATRAPS.gen auf Stick - Computer auch befallen?
    Log-Analyse und Auswertung - 05.07.2011 (10)
  11. Ist mein Computer befallen ? Er ist super langsam und fährt kaum hoch !
    Log-Analyse und Auswertung - 05.02.2010 (1)
  12. Computer befallen? (inkl. Hijack-Log)
    Plagegeister aller Art und deren Bekämpfung - 25.11.2009 (6)
  13. Ich denke mein computer ist von malware befallen ! oder ?
    Log-Analyse und Auswertung - 25.01.2009 (1)
  14. Computer von Trojanern und Viren befallen
    Mülltonne - 23.10.2008 (0)
  15. Hilfe: Irgendetwas hat mein Computer befallen !
    Log-Analyse und Auswertung - 17.10.2005 (10)
  16. Computer befallen von kA was.....
    Plagegeister aller Art und deren Bekämpfung - 12.02.2005 (3)
  17. Hilfe!Computer befallen
    Log-Analyse und Auswertung - 06.11.2004 (4)

Zum Thema Computer von FBI Ransomware befallen - Habe mir heute eine Ransomware eingefangen, eine vom FBI, die per Moneypak 200 Dollar fordert. Avira hat ihn erkannt und in Quarantäne gesteckt. Allerdings ist bei 1 von 3 Benutzern - Computer von FBI Ransomware befallen...
Archiv
Du betrachtest: Computer von FBI Ransomware befallen auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.