| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: tr/atraps.gen2 und andere FundeWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
29.12.2012, 12:45
| #1 |
 |  tr/atraps.gen2 und andere Funde Hi Leute,sitze hier grad am Pc meiner Mutter,und der Echtzeitscanner von Avira hat hier Virusmeldungen angezeigt (tr/atraps.gen2 und andere) die sich allerdings nicht löschen ließen. Hab dann Avira Scan gemacht und bei 46%, 6 Funden nach 3 Stunden abgebrochen.Konnte dann 2 Funde löschen.Danach Anti Maleware Bytes Quickscan gemacht, der zeigte mir 4 Funde an ,diese gelöscht(Hab erst hier gelesen das man das nicht machen soll,zu spät) Seit dem kommen keine Meldungen mehr, aber ich trau der Sache nicht so richtig. Danke für eure Hilfe. Gruß Meister G. Ganz unten noch die Malware Log OTL logfile created on: 29.12.2012 10:44:58 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\*****\Desktop Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,75 Gb Total Physical Memory | 1,59 Gb Available Physical Memory | 57,96% Memory free 5,50 Gb Paging File | 4,29 Gb Available in Paging File | 78,07% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 342,02 Gb Total Space | 237,48 Gb Free Space | 69,43% Space Free | Partition Type: NTFS Drive D: | 341,97 Gb Total Space | 228,21 Gb Free Space | 66,73% Space Free | Partition Type: NTFS Computer Name: *****-PC | User Name: **** | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012.12.29 10:44:27 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Gieske\Desktop\OTL.exe PRC - [2012.10.04 15:57:58 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe PRC - [2012.09.12 16:25:24 | 000,287,824 | ---- | M] (Microsoft Corporation) -- c:\Programme\Microsoft Security Client\NisSrv.exe PRC - [2012.09.12 16:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) -- c:\Programme\Microsoft Security Client\MsMpEng.exe PRC - [2012.09.07 15:37:04 | 000,100,864 | ---- | M] (Freemake) -- C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe PRC - [2012.08.09 07:37:19 | 000,348,664 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe PRC - [2012.07.27 21:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe PRC - [2012.05.09 07:24:46 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\sched.exe PRC - [2012.05.09 07:24:40 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe PRC - [2012.05.09 07:24:39 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe PRC - [2011.02.25 06:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2010.11.20 13:17:56 | 001,121,792 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe PRC - [2010.11.20 13:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe PRC - [2010.05.20 23:52:06 | 011,312,128 | ---- | M] (OpenOffice.org) -- C:\Programme\OpenOffice.org 3\program\soffice.bin PRC - [2010.05.20 23:52:04 | 011,318,784 | ---- | M] (OpenOffice.org) -- C:\Programme\OpenOffice.org 3\program\soffice.exe PRC - [2009.08.18 01:36:36 | 000,348,160 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe PRC - [2009.08.18 01:36:08 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe PRC - [2008.10.24 15:35:44 | 000,128,296 | ---- | M] () -- C:\Programme\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe PRC - [2007.01.11 04:02:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE PRC - [2006.02.17 01:51:08 | 000,483,328 | ---- | M] () -- C:\Programme\MSI\US54SE_Utility\ZDWlan.exe ========== Modules (No Company Name) ========== MOD - [2010.05.04 14:36:28 | 000,970,752 | ---- | M] () -- C:\Programme\OpenOffice.org 3\program\libxml2.dll MOD - [2010.03.15 11:28:22 | 000,141,824 | ---- | M] () -- C:\Programme\WinRAR\RarExt.dll MOD - [2006.02.17 01:51:08 | 000,483,328 | ---- | M] () -- C:\Programme\MSI\US54SE_Utility\ZDWlan.exe MOD - [2005.11.11 13:46:48 | 000,045,056 | ---- | M] () -- C:\Programme\MSI\US54SE_Utility\ZDWlan.dll MOD - [2005.11.10 14:50:18 | 000,212,992 | ---- | M] () -- C:\Programme\MSI\US54SE_Utility\dot1x_dll.dll ========== Services (SafeList) ========== SRV - [2012.12.12 08:48:44 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2012.09.12 16:25:24 | 000,287,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Programme\Microsoft Security Client\NisSrv.exe -- (NisSrv) SRV - [2012.09.12 16:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Programme\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc) SRV - [2012.09.07 15:37:04 | 000,100,864 | ---- | M] (Freemake) [Auto | Running] -- C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe -- (Freemake Improver) SRV - [2012.07.27 21:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2012.05.09 07:24:46 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2012.05.09 07:24:39 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2010.11.20 13:17:56 | 001,121,792 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc) SRV - [2009.08.18 01:36:08 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility) SRV - [2009.07.14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc) SRV - [2009.07.14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2008.10.24 15:35:44 | 000,128,296 | ---- | M] () [Auto | Running] -- C:\Programme\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe -- (AAV UpdateService) SRV - [2008.10.23 17:45:14 | 000,307,200 | ---- | M] (T-Systems Enterprise Services GmbH) [On_Demand | Stopped] -- C:\Programme\DSL-Manager\DslMgrSvc.exe -- (TDslMgrService) SRV - [2007.05.31 16:21:24 | 000,379,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm) SRV - [2007.05.31 16:21:18 | 000,183,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr) SRV - [2007.01.11 04:02:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE -- (EPSON_PM_RPCV4_01) ========== Driver Services (SafeList) ========== DRV - [2012.08.30 21:03:50 | 000,099,272 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv) DRV - [2012.05.09 07:24:46 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2012.05.09 07:24:46 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2011.09.16 16:08:07 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr) DRV - [2010.11.20 11:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV - [2010.11.20 10:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WINUSB) DRV - [2009.10.08 16:55:33 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2009.09.28 08:22:00 | 000,315,392 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\yk62x86.sys -- (yukonw7) DRV - [2009.08.18 02:48:06 | 004,994,560 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag) DRV - [2008.07.29 04:45:00 | 000,904,192 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athrusb.sys -- (athrusb) DRV - [2007.08.21 09:00:22 | 000,873,472 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WlanGZG.sys -- (XG762_VS) DRV - [2007.08.01 14:49:00 | 000,016,448 | ---- | M] (T-Systems Enterprise Services GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\dslmnlwf.sys -- (DslMNLwf) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 5A 2E DA 97 A8 4A CB 01 [binary data] IE - HKCU\..\URLSearchHook: {40c3cc16-7269-4b32-9531-17f2950fb06f} - No CLSID value found IE - HKCU\..\SearchScopes,DefaultScope = {8A0BACF6-CE30-4284-A51E-0405D60018AF} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7 IE - HKCU\..\SearchScopes\{8A0BACF6-CE30-4284-A51E-0405D60018AF}: "URL" = hxxp://www.google.de/search?q={searchTerms}&rlz=1I7ADRA_deDE395 IE - HKCU\..\SearchScopes\{FAFA8EBF-EA44-46C9-823C-9404E9E5CD2F}: "URL" = hxxp://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000027&src=kw&q={searchTerms}&locale=de_DE&apn_ptnrs=U3&apn_dtid=OSJ000YYDE&apn_uid=652E5B7F-9537-4FAA-A1A5-C62E58D54FB2&apn_sauid=A6ED621F-C0D0-4155-8603-6784821A30E6& IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.03.14 17:50:50 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{8A9386B4-E958-4c4c-ADF4-8F26DB3E4829}: C:\Program Files\PriceGong\2.6.2\FF [2012.03.03 22:31:08 | 000,000,000 | ---D | M] [2012.03.14 17:50:58 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Gieske\AppData\Roaming\mozilla\Extensions [2012.05.04 14:51:16 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Gieske\AppData\Roaming\mozilla\Firefox\Profiles\yz3ltjcy.default\extensions [2012.03.14 17:50:50 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions [2012.03.13 05:38:06 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2012.03.13 06:23:34 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.03.13 06:06:36 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012.03.13 06:23:34 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2012.03.13 06:23:34 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2012.03.13 06:23:34 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2012.03.13 06:23:34 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml ========== Chrome ========== CHR - homepage: hxxp://www.google.com/ CHR - default_search_provider: Bing (Enabled) CHR - default_search_provider: search_url = hxxp://www.bing.com/search?setmkt=de-DE&q={searchTerms} CHR - default_search_provider: suggest_url = hxxp://api.bing.com/osjson.aspx?query={searchTerms}&language={language} CHR - homepage: hxxp://www.google.com/ CHR - Extension: PriceGong = C:\Users\Gieske\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkomkajifikmkfnjgphkjcfeepbnojok\5.6.2_0\ CHR - Extension: YouTube = C:\Users\Gieske\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\ CHR - Extension: YouTube = C:\Users\Gieske\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_1\ CHR - Extension: Google-Suche = C:\Users\Gieske\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\ CHR - Extension: Google-Suche = C:\Users\Gieske\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_1\ CHR - Extension: Google Mail = C:\Users\Gieske\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\ CHR - Extension: Google Mail = C:\Users\Gieske\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\ O1 HOSTS File: ([2009.06.10 22:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O2 - BHO: (Shopping Assistant Plugin) - {1631550F-191D-4826-B069-D9439253D926} - C:\Programme\PriceGong\2.6.2\PriceGongIE.dll (PriceGong) O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {40C3CC16-7269-4B32-9531-17F2950FB06F} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [tsnpstd3] C:\Windows\tsnpstd3.exe (SONIX) O4 - HKCU..\Run: [syshost32] C:\Users\Gieske\AppData\Local\{AFF6C721-3C92-F4CD-0922-36C5E90BBAB1}\syshost.exe () O4 - Startup: C:\Users\Gieske\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DSL-Manager.lnk = File not found O4 - Startup: C:\Users\Gieske\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk = C:\Programme\OpenOffice.org 3\program\quickstart.exe () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation) O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Programme\PokerStars\PokerStarsUpdate.exe (PokerStars) O13 - gopher Prefix: missing O15 - HKCU\..Trusted Domains: microsoft.com ([]* in Trusted sites) O15 - HKCU\..Trusted Domains: microsoft.com ([*.update] * in Trusted sites) O15 - HKCU\..Trusted Domains: microsoft.com ([*.windowsupdate] * in Trusted sites) O15 - HKCU\..Trusted Domains: windowsupdate.com ([]* in Trusted sites) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx (CRLDownloadWrapper Class) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{31116BF8-057C-44C7-990E-B3A02309704D}: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4BD9EE6B-B642-44BB-9FE9-C07A51D22CAB}: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9D940974-3B24-4ED4-85D2-954CBD761AF8}: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EF72BE95-631A-4864-BFC7-5D33E0DC5F90}: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F7E3C8F4-6BFD-4B4C-8A29-C6113049523D}: DhcpNameServer = 192.168.2.1 O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009.06.10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O33 - MountPoints2\{5bc6ba27-feef-11e0-a3a8-00226869e1ea}\Shell - "" = AutoRun O33 - MountPoints2\{5bc6ba27-feef-11e0-a3a8-00226869e1ea}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL J:\Start.hta O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2012.12.29 10:44:23 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Gieske\Desktop\OTL.exe [2012.12.28 17:42:05 | 000,000,000 | ---D | C] -- C:\Users\Gieske\AppData\Local\{AFF6C721-3C92-F4CD-0922-36C5E90BBAB1} [2012.12.28 11:40:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Age of Empires 3 [2012.12.28 11:39:51 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Microsoft Games [2012.12.24 21:20:55 | 000,000,000 | -H-D | C] -- C:\Users\Gieske\Documents\Freemake_do_not_remove_this_folder634919808556983394 [2012.12.24 01:42:48 | 000,000,000 | ---D | C] -- C:\Users\Gieske\AppData\Roaming\TuneUp Software [2012.12.24 01:42:29 | 000,000,000 | ---D | C] -- C:\ProgramData\TuneUp Software [2012.12.24 01:42:19 | 000,000,000 | -HSD | C] -- C:\ProgramData\{C4ABDBC8-1C81-42C9-BFFC-4A68511E9E4F} [2012.12.24 01:42:19 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files [2012.12.24 01:39:06 | 000,000,000 | -H-D | C] -- C:\Users\Gieske\Documents\Freemake_do_not_remove_this_folder [2012.12.24 01:38:16 | 000,000,000 | ---D | C] -- C:\Users\Gieske\Documents\Freemake [2012.12.24 01:38:15 | 000,000,000 | ---D | C] -- C:\Users\Gieske\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Freemake [2012.12.24 01:38:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Freemake [2012.12.24 01:38:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Freemake [2012.12.24 01:38:03 | 000,000,000 | ---D | C] -- C:\Users\Gieske\AppData\Roaming\OpenCandy [2012.12.24 01:38:03 | 000,000,000 | ---D | C] -- C:\Program Files\Freemake [2012.12.23 23:55:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Canneverbe Limited [2012.12.23 23:55:00 | 000,000,000 | ---D | C] -- C:\Users\Gieske\AppData\Roaming\Canneverbe Limited [2012.12.23 23:51:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Haali Media Splitter [2012.12.23 23:51:00 | 000,000,000 | ---D | C] -- C:\Users\Gieske\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Haali Media Splitter [2012.12.23 23:51:00 | 000,000,000 | ---D | C] -- C:\Program Files\Haali [2012.12.23 23:50:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TSDoctor [2012.12.23 23:50:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Cypheros [2012.12.23 23:50:36 | 000,000,000 | ---D | C] -- C:\Program Files\Cypheros [2012.12.16 15:40:51 | 000,000,000 | ---D | C] -- C:\Users\Gieske\AppData\Local\Proxure [2012.12.16 15:40:42 | 000,000,000 | ---D | C] -- C:\ProgramData\ClubSanDisk [2012.12.14 14:30:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Holzfäller Simulator 2013 [2012.12.14 14:30:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation [2012.12.14 14:30:18 | 000,000,000 | ---D | C] -- C:\Program Files\AGEIA Technologies [2012.12.14 14:30:18 | 000,000,000 | ---D | C] -- C:\Windows\System32\AGEIA [2012.12.14 14:30:00 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard [2012.12.14 14:29:01 | 000,000,000 | ---D | C] -- C:\Program Files\Woodcutter Simulator 2013 [2012.12.08 14:09:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Landwirtschafts Simulator 2013 [2012.12.08 14:07:00 | 000,000,000 | ---D | C] -- C:\Program Files\Landwirtschafts Simulator 2013 ========== Files - Modified Within 30 Days ========== [2012.12.29 10:46:03 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2012.12.29 10:44:27 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Gieske\Desktop\OTL.exe [2012.12.29 10:43:05 | 000,000,000 | ---- | M] () -- C:\Users\Gieske\defogger_reenable [2012.12.29 10:41:49 | 000,050,477 | ---- | M] () -- C:\Users\Gieske\Desktop\Defogger.exe [2012.12.29 10:16:30 | 000,013,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2012.12.29 10:16:30 | 000,013,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2012.12.29 09:50:06 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2012.12.29 08:50:00 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2012.12.29 08:31:42 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.12.29 08:31:34 | 2213,945,344 | -HS- | M] () -- C:\hiberfil.sys [2012.12.26 21:13:07 | 000,001,071 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.12.24 20:51:01 | 000,654,150 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2012.12.24 20:51:01 | 000,616,032 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2012.12.24 20:51:01 | 000,130,022 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2012.12.24 20:51:01 | 000,106,412 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2012.12.24 01:38:15 | 000,001,282 | ---- | M] () -- C:\Users\Public\Desktop\Freemake Video Converter.lnk [2012.12.23 23:50:40 | 000,001,030 | ---- | M] () -- C:\Users\Public\Desktop\TSDoctor.lnk [2012.12.21 09:27:41 | 000,302,616 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2012.12.17 11:20:08 | 000,032,720 | ---- | M] () -- C:\Users\Gieske\Documents\Tannebaum.odt [2012.12.16 15:41:26 | 000,000,288 | ---- | M] () -- C:\Users\Gieske\AppData\Roaming\.backup.dm [2012.12.14 19:27:19 | 000,076,844 | ---- | M] () -- C:\Users\Gieske\Documents\weißkopfseeadler.odt [2012.12.14 14:30:28 | 000,002,030 | ---- | M] () -- C:\Users\Gieske\Desktop\Holzfäller Simulator 2013.lnk [2012.12.14 11:25:09 | 000,013,652 | ---- | M] () -- C:\Users\Gieske\Documents\Parkfriedhof Nutzungsrechte.odt [2012.12.14 11:25:09 | 000,000,102 | -H-- | M] () -- C:\Users\Gieske\Documents\.~lock.Parkfriedhof Nutzungsrechte.odt# [2012.12.13 19:55:17 | 000,002,324 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk [2012.12.08 14:09:09 | 000,001,245 | ---- | M] () -- C:\Users\Gieske\Desktop\Landwirtschafts Simulator 2013 .lnk [2012.12.08 12:08:52 | 000,013,376 | ---- | M] () -- C:\Users\Gieske\Documents\Wundertüte.odt [2012.12.05 14:16:40 | 000,017,349 | ---- | M] () -- C:\Users\Gieske\Documents\Advent.odt ========== Files Created - No Company Name ========== [2012.12.29 10:43:05 | 000,000,000 | ---- | C] () -- C:\Users\Gieske\defogger_reenable [2012.12.29 10:41:49 | 000,050,477 | ---- | C] () -- C:\Users\Gieske\Desktop\Defogger.exe [2012.12.24 01:38:15 | 000,001,282 | ---- | C] () -- C:\Users\Public\Desktop\Freemake Video Converter.lnk [2012.12.23 23:50:40 | 000,001,030 | ---- | C] () -- C:\Users\Public\Desktop\TSDoctor.lnk [2012.12.17 11:20:06 | 000,032,720 | ---- | C] () -- C:\Users\Gieske\Documents\Tannebaum.odt [2012.12.16 15:41:26 | 000,000,288 | ---- | C] () -- C:\Users\Gieske\AppData\Roaming\.backup.dm [2012.12.14 19:27:17 | 000,076,844 | ---- | C] () -- C:\Users\Gieske\Documents\weißkopfseeadler.odt [2012.12.14 14:30:28 | 000,002,030 | ---- | C] () -- C:\Users\Gieske\Desktop\Holzfäller Simulator 2013.lnk [2012.12.14 10:56:31 | 000,000,102 | -H-- | C] () -- C:\Users\Gieske\Documents\.~lock.Parkfriedhof Nutzungsrechte.odt# [2012.12.14 10:56:29 | 000,013,652 | ---- | C] () -- C:\Users\Gieske\Documents\Parkfriedhof Nutzungsrechte.odt [2012.12.08 14:09:09 | 000,001,245 | ---- | C] () -- C:\Users\Gieske\Desktop\Landwirtschafts Simulator 2013 .lnk [2012.12.05 14:24:53 | 000,013,376 | ---- | C] () -- C:\Users\Gieske\Documents\Wundertüte.odt [2012.12.05 14:16:39 | 000,017,349 | ---- | C] () -- C:\Users\Gieske\Documents\Advent.odt [2012.03.26 16:11:29 | 000,000,019 | ---- | C] () -- C:\Windows\TKKG_9.INI [2012.02.18 13:36:06 | 000,284,160 | ---- | C] () -- C:\Windows\uninst.exe [2011.12.24 15:26:37 | 000,004,608 | ---- | C] () -- C:\Users\Gieske\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2011.11.01 19:29:29 | 000,843,776 | ---- | C] () -- C:\Windows\vsnpstd3.exe [2011.11.01 19:29:29 | 000,015,498 | ---- | C] () -- C:\Windows\snpstd3.ini [2011.11.01 19:29:28 | 000,172,032 | ---- | C] ( ) -- C:\Windows\System32\rsnpstd3.dll [2011.11.01 19:29:28 | 000,061,440 | ---- | C] ( ) -- C:\Windows\System32\vsnpstd3.dll [2011.11.01 19:29:28 | 000,053,248 | ---- | C] ( ) -- C:\Windows\System32\csnpstd3.dll [2011.11.01 19:29:28 | 000,053,248 | ---- | C] ( ) -- C:\Windows\csnpstd3.dll [2011.07.25 16:29:40 | 000,000,056 | ---- | C] () -- C:\Windows\TKKG_7.ini [2011.07.22 13:57:33 | 000,000,168 | ---- | C] () -- C:\Windows\Wendy3.ini ========== ZeroAccess Check ========== [2011.11.17 06:38:39 | 000,000,000 | -HSD | M] -- C:\Users\Gieske\AppData\Local\{725f5121-2ebf-fe7c-6f8a-bfe6380e9f70}\L [2011.11.17 06:38:39 | 000,000,000 | -HSD | M] -- C:\Users\Gieske\AppData\Local\{725f5121-2ebf-fe7c-6f8a-bfe6380e9f70}\U [2009.07.14 05:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] "ThreadingModel" = Both "" = C:\$Recycle.Bin\S-1-5-21-132146776-3345195101-1586744503-1000\$725f51212ebffe7c6f8abfe6380e9f70\n. -- File not found [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 05:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.20 13:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2009.07.14 02:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== LOP Check ========== [2012.09.29 09:15:09 | 000,000,000 | ---D | M] -- C:\Users\Gieske\AppData\Roaming\.minecraft [2011.01.30 19:51:20 | 000,000,000 | ---D | M] -- C:\Users\Gieske\AppData\Roaming\Ashampoo [2010.12.27 18:47:06 | 000,000,000 | ---D | M] -- C:\Users\Gieske\AppData\Roaming\Baumaschinen Simulator 2011 [2011.09.20 15:48:37 | 000,000,000 | ---D | M] -- C:\Users\Gieske\AppData\Roaming\becker [2012.12.23 23:55:00 | 000,000,000 | ---D | M] -- C:\Users\Gieske\AppData\Roaming\Canneverbe Limited [2010.12.17 20:07:14 | 000,000,000 | ---D | M] -- C:\Users\Gieske\AppData\Roaming\Chirurgie Simulation [2011.11.01 19:28:45 | 000,000,000 | ---D | M] -- C:\Users\Gieske\AppData\Roaming\Engelmann Media [2010.09.01 20:00:50 | 000,000,000 | ---D | M] -- C:\Users\Gieske\AppData\Roaming\InterTrust [2012.12.24 01:38:03 | 000,000,000 | ---D | M] -- C:\Users\Gieske\AppData\Roaming\OpenCandy [2010.09.02 17:48:10 | 000,000,000 | ---D | M] -- C:\Users\Gieske\AppData\Roaming\OpenOffice.org [2012.04.01 06:14:59 | 000,000,000 | ---D | M] -- C:\Users\Gieske\AppData\Roaming\T-Online [2012.12.24 01:42:48 | 000,000,000 | ---D | M] -- C:\Users\Gieske\AppData\Roaming\TuneUp Software [2011.02.03 15:23:30 | 000,000,000 | ---D | M] -- C:\Users\Gieske\AppData\Roaming\TweakNow RegCleaner 2011 [2012.03.06 13:19:57 | 000,000,000 | ---D | M] -- C:\Users\Gieske\AppData\Roaming\Ukotg [2012.03.06 17:17:36 | 000,000,000 | ---D | M] -- C:\Users\Gieske\AppData\Roaming\Upwiu [2011.03.12 15:40:38 | 000,000,000 | ---D | M] -- C:\Users\Gieske\AppData\Roaming\Wildlife Park 2 [2011.03.12 15:23:29 | 000,000,000 | ---D | M] -- C:\Users\Gieske\AppData\Roaming\Wildlife Park 2 - Abenteuer auf der Ranch [2011.03.12 17:54:47 | 000,000,000 | ---D | M] -- C:\Users\Gieske\AppData\Roaming\Wildlife Park 2 - Crazy Zoo [2011.03.12 14:56:18 | 000,000,000 | ---D | M] -- C:\Users\Gieske\AppData\Roaming\Wildlife Park 2 - Farm World [2011.03.12 15:28:42 | 000,000,000 | ---D | M] -- C:\Users\Gieske\AppData\Roaming\Wildlife Park 2 - Marine World ========== Purity Check ========== < End of report > OTL Extras logfile created on: 29.12.2012 10:44:58 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Gieske\Desktop Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,75 Gb Total Physical Memory | 1,59 Gb Available Physical Memory | 57,96% Memory free 5,50 Gb Paging File | 4,29 Gb Available in Paging File | 78,07% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 342,02 Gb Total Space | 237,48 Gb Free Space | 69,43% Space Free | Partition Type: NTFS Drive D: | 341,97 Gb Total Space | 228,21 Gb Free Space | 66,73% Space Free | Partition Type: NTFS Computer Name: GIESKE-PC | User Name: Gieske | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation) .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation) .html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = ChromeHTML] -- Reg Error: Key error. File not found ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) htmlfile [edit] -- Reg Error: Key error. htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.) https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.) inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "VistaSp1" = Reg Error: Unknown registry data type -- File not found "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 ========== Authorized Applications List ========== ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{04BCD8BE-5A0D-453E-BD59-117C5A54A869}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe | "{1A0AE945-0DAF-438A-ADAE-952BDC897D9B}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{1B676298-EA56-4A87-B093-713C41508E25}" = rport=445 | protocol=6 | dir=out | app=system | "{1D75D03B-C12D-4436-871D-E352B0187220}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{25227096-ADF6-4181-A4CC-9B6E37704FF0}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe | "{28F92B40-36F8-4D60-BB7F-6F85EF431034}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | "{31CF4F8D-55CA-4D51-B612-7D5508EB5A6D}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{38885871-B694-475D-8FDA-94D8C2717CAB}" = lport=2869 | protocol=6 | dir=in | app=system | "{4221DCC0-0DF9-46FF-96AF-3DB2F1CAA543}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{4582BFA6-0428-4B4D-823F-EE1D4977BB7C}" = lport=68 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe | "{464978F6-FEAC-4F47-ADE6-CBD64B735401}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{5C283D4C-60D6-4FBB-AD22-544EC0CAA63F}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | "{5DD670B2-E259-432D-AD7F-68BF418EE409}" = lport=445 | protocol=6 | dir=in | app=system | "{603D1CF7-6C18-4F96-AF4D-76D87CEB0DF5}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{6910E3F0-9310-4F94-A7BB-7BCA1B7EE768}" = lport=547 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe | "{69D2AE4C-77B4-4DEA-8495-230FEB066415}" = rport=138 | protocol=17 | dir=out | app=system | "{6E548F25-CD64-4B37-A9A7-888B7812D9A2}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{70172EF1-6DD3-4ECD-8AA0-E7E1A18CE6F6}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{768F4AD2-A19C-4A20-9101-B083F39D8018}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | "{7888E51D-1385-431F-971E-BA6D36D3D047}" = lport=2869 | protocol=6 | dir=in | app=system | "{7C9F42FB-7A57-4BD1-98A1-A2C546ACC6D4}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | "{8147DF4F-C183-438D-AC51-9393FF141B1E}" = lport=137 | protocol=17 | dir=in | app=system | "{8E85B8FF-15AE-4C41-923B-0AF2ACEBA844}" = rport=137 | protocol=17 | dir=out | app=system | "{9157C833-B394-4BB9-80BE-D7436B2F5485}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{A43DE8C8-392F-441E-990A-28DE4D9D96D3}" = lport=67 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe | "{AA5F0D0C-49C4-4170-8697-CA0987ED4644}" = lport=53 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe | "{AECC0377-4324-4B20-B37D-55FA2CCE7BD4}" = rport=10243 | protocol=6 | dir=out | app=system | "{AFC6981F-3883-4116-9958-C2AFBB660D01}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{B5F39ECD-4E9A-4000-A2D6-CEA5E4949978}" = lport=138 | protocol=17 | dir=in | app=system | "{BC75B75D-B5F3-4CC8-9666-B6C5AED7745D}" = rport=2869 | protocol=6 | dir=out | app=system | "{C001D24A-F574-4B09-AF3A-8BFDAB8B1345}" = rport=139 | protocol=6 | dir=out | app=system | "{C2ECFDE2-E6DD-4633-B8C5-677270803308}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | "{C694D6E8-1290-45B5-A66F-2A1382B7A705}" = lport=139 | protocol=6 | dir=in | app=system | "{CB8903A4-9EDD-493B-9C36-8461E168AE78}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe | "{E01C48F5-BBA8-460D-B894-69C65E4B42C5}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | "{E59C7EDA-956D-41B8-BC2A-A990A26E4DC8}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{EB2103C8-5CED-4CEC-9EC8-A5614125CE66}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{EBEC9A09-B0B5-41B2-83B4-14BF86AE5D28}" = lport=10243 | protocol=6 | dir=in | app=system | "{F1230E72-AAE2-4240-A798-F03DE04BDACF}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{110695E0-DF06-48D8-AD70-3954C6678733}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe | "{1232D079-1DEB-40C6-A392-C9E309AC51D9}" = protocol=17 | dir=in | app=c:\program files\landwirtschafts simulator 2013\farmingsimulator2013game.exe | "{13ACBDEE-3C37-404E-8BD2-88B0483D014F}" = protocol=17 | dir=in | app=c:\program files\landwirtschafts simulator 2011\game.exe | "{169C4895-EA15-4801-B3AF-6252D9637097}" = protocol=17 | dir=in | app=c:\program files\landwirtschafts simulator 2011\farmingsimulator2011.exe | "{1C3BC58D-51FD-479D-8ABA-62D4CD7C0D75}" = protocol=6 | dir=in | app=c:\program files\landwirtschafts simulator 2011\farmingsimulator2011.exe | "{21B0CBAC-91D8-4222-8DE6-CA01E1A7035C}" = protocol=17 | dir=in | app=c:\program files\microsoft games\age of empires iii\age3.exe | "{2D7FD6B4-C267-4D58-A8D5-66790A31B42F}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | "{332F7BC8-0D60-4C4B-9A54-350864FD66A5}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | "{383C553A-0960-4D80-B0FD-66640F24F731}" = protocol=6 | dir=in | app=c:\program files\woodcutter simulator 2013\iupdate.dll | "{4CE21E39-B30B-4303-A4BC-81B79CE82533}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | "{513C21EC-2C5F-43B4-880F-2B8AC4F19E97}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | "{51594E13-2BF8-4D94-A00B-7A8773062D88}" = protocol=6 | dir=in | app=c:\program files\microsoft games\age of empires iii\age3.exe | "{586E6A13-21DB-442D-99B2-D8FE15B32765}" = protocol=6 | dir=out | app=system | "{5980C17C-3F9F-49B9-91C1-AF57E79B30E9}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{663A1AC0-A101-44BE-A04C-2120B2E697E9}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{67122DE6-DE46-4B66-8907-AD493C8E04E5}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | "{6ABB683C-91E7-47FC-8EB6-CB25602D340C}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | "{74DFDDB9-206D-48E3-A93C-C19FC06AD141}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{7E394048-09DF-46C9-93CD-3592CA2AF03E}" = protocol=17 | dir=in | app=c:\program files\woodcutter simulator 2013\woodcutter2013.dll | "{831BF245-FA4D-49B1-A52F-28622BF834C9}" = protocol=6 | dir=in | app=c:\program files\landwirtschafts simulator 2011\game.exe | "{91E378D5-315E-4BAB-84B3-089EA1C695DB}" = protocol=58 | dir=in | name=@hnetcfg.dll,-148 | "{923B50CC-2DD5-4674-B424-B3511E6FBE32}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{969039BF-3964-47EC-A943-72E19470F7C1}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | "{9AF3448A-0E4D-4EFE-8808-FC2215C3FFA1}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | "{A79AB58C-D5D3-48DF-AD18-F3C82EC4F6FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{A97D8670-6121-4259-8FF0-0B5FEF0A72F3}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe | "{AD26C3EB-8308-4FEA-9BC0-B823FE2F63C4}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | "{AF8A934A-395C-43D8-8DB5-FCDB34187B86}" = protocol=17 | dir=in | app=c:\program files\landwirtschafts simulator 2013\farmingsimulator2013.exe | "{B0BA9D01-7694-4E26-BBAE-DA3BB991114F}" = dir=out | svc=sharedaccess | app=%systemroot%\system32\svchost.exe | "{C81DF9C4-A3C4-441B-9509-10CC8F042839}" = protocol=6 | dir=in | app=c:\windows\system32\msiexec.exe | "{CE1D30CA-9CEA-424D-9DAB-04D8920E2060}" = protocol=6 | dir=in | app=c:\program files\woodcutter simulator 2013\woodcutter2013.dll | "{DA851F06-17CC-4AF7-A772-154FD2CED362}" = protocol=17 | dir=in | app=c:\program files\woodcutter simulator 2013\iupdate.dll | "{DACBE3C1-3D82-4415-AB51-790EE86CA572}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe | "{E166971C-13B9-4CFA-8B60-1714CE40C325}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | "{E9039C09-E92A-49ED-8F93-842A1E11E2EF}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | "{E9512C71-1F11-4F4E-A50D-916911BD13DE}" = protocol=6 | dir=in | app=c:\program files\landwirtschafts simulator 2013\farmingsimulator2013.exe | "{ED626596-493D-4EFC-8BBB-D24F4F1DF4B9}" = protocol=6 | dir=in | app=c:\program files\landwirtschafts simulator 2013\farmingsimulator2013game.exe | "{EDF43FEC-D404-48D2-B08F-D5290B25189C}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{F0591DCA-F49B-4BC8-BBE2-FEE9D652E21A}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | "{F69C03F0-50AA-41EE-AAA2-F832A8430539}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | "{FA6E50E6-86CA-457D-A6E3-756122C36F92}" = protocol=17 | dir=in | app=c:\windows\system32\msiexec.exe | "TCP Query User{0DEF862D-4C5A-4179-9BC0-277AC44B2D4E}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe | "TCP Query User{3D182DCD-72A6-4CDA-BBC0-92D437F8E355}C:\program files\microsoft games\age of empires ii\empires2.exe" = protocol=6 | dir=in | app=c:\program files\microsoft games\age of empires ii\empires2.exe | "TCP Query User{448532B0-85DE-4C0D-A726-314E88B13996}C:\windows\system32\taskhost.exe" = protocol=6 | dir=in | app=c:\windows\system32\taskhost.exe | "TCP Query User{61B1129E-5EEE-4944-9990-007FA5AAF830}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe | "TCP Query User{887759FA-CB7C-4F98-9E93-9301DB0075E4}C:\program files\google\google earth\client\googleearth.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe | "TCP Query User{A5245801-F2D7-41C3-9D15-83FD30327359}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe | "UDP Query User{17A01AD2-D692-48B7-AE7D-5C74A6AF4256}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe | "UDP Query User{2158A60C-5C84-40F7-AC8B-7D1D33F7A298}C:\program files\google\google earth\client\googleearth.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe | "UDP Query User{3F2293C7-9AC6-4BAF-9C23-32B977C031CE}C:\windows\system32\taskhost.exe" = protocol=17 | dir=in | app=c:\windows\system32\taskhost.exe | "UDP Query User{7B63AADE-D3C4-48E4-BED9-A1050D737C8D}C:\program files\microsoft games\age of empires ii\empires2.exe" = protocol=17 | dir=in | app=c:\program files\microsoft games\age of empires ii\empires2.exe | "UDP Query User{7FA70033-A8FB-435E-9207-FE272243F0CB}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe | "UDP Query User{B1D795FD-33D2-48B8-9F11-2F32E1DCA154}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{1280E900-35DA-4E08-A700-B79A5B2B8532}" = Microsoft Antimalware Service DE-DE Language Pack "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer "{1C4551A6-4743-4093-91E4-1477CD655043}" = NVIDIA PhysX "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer "{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 29 "{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{50779A29-834E-4E36-BBEB-B7CABC67A825}" = Microsoft Security Client DE-DE Language Pack "{52602542-6E1A-4002-AB4C-9A4391103507}" = O&O PartitionManager Professional "{52B97218-98CB-4B8B-9283-D213C85E1AA4}" = Windows Live Anmelde-Assistent "{537575D6-3B96-474C-BD8F-DFF667363DBD}" = Naviextras Toolbox Prerequesities "{581CE7EA-A30D-0000-1211-088635773309}" = MSI US54SE 802.11 b+g USB Stick "{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth "{70F8B183-99EB-4304-BA35-080E2DFFD2A3}" = Age of Empires III "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 "{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update "{904CCF62-818D-4675-BC76-D37EB399F917}" = Windows Mobile-Gerätecenter "{90A455A7-0FC8-4508-B7FA-8F135B8F041A}" = DSL-Manager "{923BC9EF-A7FC-4E6D-8056-F1534DFCE530}" = Steuer-Software 2011 "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{98EABC7F-B1A1-43A5-B505-5B4EC3908DCD}" = Microsoft Security Client "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 "{A00F8237-F496-44D2-0001-E3CCF8CD58AE}" = Photomizer "{A8CB4BF4-CD9C-49C0-92D2-7A85631C746D}_is1" = Baumaschinen Simulator 2011 Version 1.0 "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.4) - Deutsch "{AF805B23-DCB3-44D5-A9A8-B44C7A80C8D7}_is1" = Gabelstapler Simulator 2009 "{AFA42FE1-A5C3-485F-9180-BFCF5BF1F1C3}" = AAVUpdateManager "{C4D738F7-996A-4C81-B8FA-C4E26D767E41}" = Windows Live Mail "{C917BA70-28A3-4C74-B163-41FD8C8E1A5A}" = Stronghold "{CAFA57E8-8927-4912-AFCF-B0AA3837E989}" = Windows Live Essentials "{D596980D-17BE-4425-B8F0-5640719AADE9}" = LEGO® Star Wars™: The Complete Saga "{DFFC0648-BC4B-47D1-93D2-6CA6B9457641}" = OpenOffice.org 3.2 "{ECD03DA7-5952-406A-8156-5F0C93618D1F}" = USB PC Camera Plus "{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard "{F19178B7-F232-4E97-8511-E4D37A339E9C}" = Steuer-Software 2012 "{F4BBEF26-9D37-411F-B0E0-221C680F7B9B}" = TSDoctor "{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX "Age of Empires" = Microsoft Age of Empires "Age of Empires 2.0" = Microsoft Age of Empires II "Ashampoo Photo Commander 7_is1" = Ashampoo Photo Commander 7.60 "AutoBauDeinstKey" = Autos bauen mit Willy Werkel "Avira AntiVir Desktop" = Avira Free Antivirus "Content Manager 2" = Content Manager 2 "DemolitionCompanyDE_is1" = Demolition Company "Digital Editions" = Adobe Digital Editions "EPSON Printer and Utilities" = EPSON-Drucker-Software "Euro Truck Simulator" = Euro Truck Simulator 1.1 "FarmingSimulator2011DE_is1" = Landwirtschafts Simulator 2011 "FarmingSimulator2013DE_is1" = Landwirtschafts Simulator 2013 "Freemake Video Converter_is1" = Freemake Video Converter Version 3.2.1 "Google Chrome" = Google Chrome "HaaliMkx" = Haali Media Splitter "InstallShield_{70F8B183-99EB-4304-BA35-080E2DFFD2A3}" = Age of Empires III "InstallShield_{D596980D-17BE-4425-B8F0-5640719AADE9}" = LEGO® Star Wars™: Die Komplette Saga "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.65.1.1000 "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "Microsoft Security Client" = Microsoft Security Essentials "Mozilla Firefox 11.0 (x86 de)" = Mozilla Firefox 11.0 (x86 de) "PokerStars" = PokerStars "PriceGong" = PriceGong 2.6.2 "QuickTime" = QuickTime "SBMWW" = Schiffe bauen mit Willy Werkel "TKKG 9" = TKKG 9 "TweakNow RegCleaner 2011_is1" = TweakNow RegCleaner 2011 "WinLiveSuite_Wave3" = Windows Live Essentials "WinRAR archiver" = WinRAR "WLP2_is1" = Wildlife Park 2 - Farm World v2.1 "Woodcutter Simulator 2013" = Holzfäller Simulator 2013 ========== Last 20 Event Log Errors ========== [ Application Events ] Error - 30.11.2012 15:27:25 | Computer Name = Gieske-PC | Source = Application Hang | ID = 1002 Description = Programm wlmail.exe, Version 14.0.8117.416 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen. Prozess-ID: 8d4 Startzeit: 01cdcf3078c39ecb Endzeit: 16 Anwendungspfad: C:\Program Files\Windows Live\Mail\wlmail.exe Berichts-ID: ecfc7e3e-3b23-11e2-b143-00226869e1ea Error - 02.12.2012 04:50:10 | Computer Name = Gieske-PC | Source = Application Hang | ID = 1002 Description = Programm game.exe, Version 4.1.6.1 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen. Prozess-ID: 748 Startzeit: 01cdd066b7b35a43 Endzeit: 245 Anwendungspfad: C:\Program Files\Landwirtschafts Simulator 2011\game.exe Berichts-ID: 41981ccc-3c5d-11e2-9b35-00226869e1ea Error - 14.12.2012 06:26:20 | Computer Name = Gieske-PC | Source = Application Hang | ID = 1002 Description = Programm soffice.bin, Version 3.2.9498.500 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen. Prozess-ID: 94c Startzeit: 01cdd9dc74f160e6 Endzeit: 9 Anwendungspfad: C:\Program Files\OpenOffice.org 3\program\soffice.bin Berichts-ID: a11f32f7-45d8-11e2-b9b2-00226869e1ea Error - 14.12.2012 09:29:26 | Computer Name = Gieske-PC | Source = VSS | ID = 8194 Description = Error - 23.12.2012 19:14:24 | Computer Name = Gieske-PC | Source = Application Hang | ID = 1002 Description = Programm wmplayer.exe, Version 12.0.7601.17514 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen. Prozess-ID: 140 Startzeit: 01cde162f96269b8 Endzeit: 16 Anwendungspfad: C:\Program Files\Windows Media Player\wmplayer.exe Berichts-ID: Error - 23.12.2012 19:44:33 | Computer Name = Gieske-PC | Source = Windows Backup | ID = 4104 Description = Error - 24.12.2012 15:58:49 | Computer Name = Gieske-PC | Source = TS-Doctor | ID = 2134 Description = Error - 24.12.2012 15:58:51 | Computer Name = Gieske-PC | Source = Application Error | ID = 1000 Description = Name der fehlerhaften Anwendung: TSDoctor.exe, Version: 1.2.57.2901, Zeitstempel: 0x50cdd3d6 Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000 Ausnahmecode: 0xc0000005 Fehleroffset: 0x04a2f768 ID des fehlerhaften Prozesses: 0x1484 Startzeit der fehlerhaften Anwendung: 0x01cde2110d1d1b5e Pfad der fehlerhaften Anwendung: C:\Program Files\Cypheros\TSDoctor\TSDoctor.exe Pfad des fehlerhaften Moduls: unknown Berichtskennung: 5621038a-4e04-11e2-8b71-00226869e1ea Error - 26.12.2012 16:03:47 | Computer Name = Gieske-PC | Source = Microsoft-Windows-RestartManager | ID = 10006 Description = Die Anwendung oder der Dienst "Windows-Explorer" konnte nicht heruntergefahren werden. Error - 28.12.2012 06:29:25 | Computer Name = Gieske-PC | Source = VSS | ID = 8194 Description = [ System Events ] Error - 28.12.2012 11:40:45 | Computer Name = Gieske-PC | Source = ipnathlp | ID = 31004 Description = Error - 28.12.2012 12:46:05 | Computer Name = Gieske-PC | Source = atikmdag | ID = 52236 Description = CPLIB :: General - Invalid Parameter Error - 28.12.2012 12:46:05 | Computer Name = Gieske-PC | Source = atikmdag | ID = 43029 Description = Display is not active Error - 28.12.2012 14:26:16 | Computer Name = Gieske-PC | Source = atikmdag | ID = 43029 Description = Display is not active Error - 28.12.2012 14:26:27 | Computer Name = Gieske-PC | Source = ipnathlp | ID = 31004 Description = Error - 29.12.2012 02:55:46 | Computer Name = Gieske-PC | Source = atikmdag | ID = 52236 Description = CPLIB :: General - Invalid Parameter Error - 29.12.2012 02:55:46 | Computer Name = Gieske-PC | Source = atikmdag | ID = 43029 Description = Display is not active Error - 29.12.2012 03:31:42 | Computer Name = Gieske-PC | Source = atikmdag | ID = 52236 Description = CPLIB :: General - Invalid Parameter Error - 29.12.2012 03:31:42 | Computer Name = Gieske-PC | Source = atikmdag | ID = 43029 Description = Display is not active Error - 29.12.2012 03:32:24 | Computer Name = Gieske-PC | Source = ipnathlp | ID = 31004 Description = < End of report > OTL Extras logfile created on: 29.12.2012 10:44:58 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Gieske\Desktop Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,75 Gb Total Physical Memory | 1,59 Gb Available Physical Memory | 57,96% Memory free 5,50 Gb Paging File | 4,29 Gb Available in Paging File | 78,07% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 342,02 Gb Total Space | 237,48 Gb Free Space | 69,43% Space Free | Partition Type: NTFS Drive D: | 341,97 Gb Total Space | 228,21 Gb Free Space | 66,73% Space Free | Partition Type: NTFS Computer Name: GIESKE-PC | User Name: Gieske | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation) .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation) .html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = ChromeHTML] -- Reg Error: Key error. File not found ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) htmlfile [edit] -- Reg Error: Key error. htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.) https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.) inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "VistaSp1" = Reg Error: Unknown registry data type -- File not found "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 ========== Authorized Applications List ========== ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{04BCD8BE-5A0D-453E-BD59-117C5A54A869}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe | "{1A0AE945-0DAF-438A-ADAE-952BDC897D9B}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{1B676298-EA56-4A87-B093-713C41508E25}" = rport=445 | protocol=6 | dir=out | app=system | "{1D75D03B-C12D-4436-871D-E352B0187220}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{25227096-ADF6-4181-A4CC-9B6E37704FF0}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe | "{28F92B40-36F8-4D60-BB7F-6F85EF431034}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | "{31CF4F8D-55CA-4D51-B612-7D5508EB5A6D}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{38885871-B694-475D-8FDA-94D8C2717CAB}" = lport=2869 | protocol=6 | dir=in | app=system | "{4221DCC0-0DF9-46FF-96AF-3DB2F1CAA543}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{4582BFA6-0428-4B4D-823F-EE1D4977BB7C}" = lport=68 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe | "{464978F6-FEAC-4F47-ADE6-CBD64B735401}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{5C283D4C-60D6-4FBB-AD22-544EC0CAA63F}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | "{5DD670B2-E259-432D-AD7F-68BF418EE409}" = lport=445 | protocol=6 | dir=in | app=system | "{603D1CF7-6C18-4F96-AF4D-76D87CEB0DF5}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{6910E3F0-9310-4F94-A7BB-7BCA1B7EE768}" = lport=547 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe | "{69D2AE4C-77B4-4DEA-8495-230FEB066415}" = rport=138 | protocol=17 | dir=out | app=system | "{6E548F25-CD64-4B37-A9A7-888B7812D9A2}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{70172EF1-6DD3-4ECD-8AA0-E7E1A18CE6F6}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{768F4AD2-A19C-4A20-9101-B083F39D8018}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | "{7888E51D-1385-431F-971E-BA6D36D3D047}" = lport=2869 | protocol=6 | dir=in | app=system | "{7C9F42FB-7A57-4BD1-98A1-A2C546ACC6D4}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | "{8147DF4F-C183-438D-AC51-9393FF141B1E}" = lport=137 | protocol=17 | dir=in | app=system | "{8E85B8FF-15AE-4C41-923B-0AF2ACEBA844}" = rport=137 | protocol=17 | dir=out | app=system | "{9157C833-B394-4BB9-80BE-D7436B2F5485}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{A43DE8C8-392F-441E-990A-28DE4D9D96D3}" = lport=67 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe | "{AA5F0D0C-49C4-4170-8697-CA0987ED4644}" = lport=53 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe | "{AECC0377-4324-4B20-B37D-55FA2CCE7BD4}" = rport=10243 | protocol=6 | dir=out | app=system | "{AFC6981F-3883-4116-9958-C2AFBB660D01}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{B5F39ECD-4E9A-4000-A2D6-CEA5E4949978}" = lport=138 | protocol=17 | dir=in | app=system | "{BC75B75D-B5F3-4CC8-9666-B6C5AED7745D}" = rport=2869 | protocol=6 | dir=out | app=system | "{C001D24A-F574-4B09-AF3A-8BFDAB8B1345}" = rport=139 | protocol=6 | dir=out | app=system | "{C2ECFDE2-E6DD-4633-B8C5-677270803308}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | "{C694D6E8-1290-45B5-A66F-2A1382B7A705}" = lport=139 | protocol=6 | dir=in | app=system | "{CB8903A4-9EDD-493B-9C36-8461E168AE78}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe | "{E01C48F5-BBA8-460D-B894-69C65E4B42C5}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | "{E59C7EDA-956D-41B8-BC2A-A990A26E4DC8}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{EB2103C8-5CED-4CEC-9EC8-A5614125CE66}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{EBEC9A09-B0B5-41B2-83B4-14BF86AE5D28}" = lport=10243 | protocol=6 | dir=in | app=system | "{F1230E72-AAE2-4240-A798-F03DE04BDACF}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{110695E0-DF06-48D8-AD70-3954C6678733}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe | "{1232D079-1DEB-40C6-A392-C9E309AC51D9}" = protocol=17 | dir=in | app=c:\program files\landwirtschafts simulator 2013\farmingsimulator2013game.exe | "{13ACBDEE-3C37-404E-8BD2-88B0483D014F}" = protocol=17 | dir=in | app=c:\program files\landwirtschafts simulator 2011\game.exe | "{169C4895-EA15-4801-B3AF-6252D9637097}" = protocol=17 | dir=in | app=c:\program files\landwirtschafts simulator 2011\farmingsimulator2011.exe | "{1C3BC58D-51FD-479D-8ABA-62D4CD7C0D75}" = protocol=6 | dir=in | app=c:\program files\landwirtschafts simulator 2011\farmingsimulator2011.exe | "{21B0CBAC-91D8-4222-8DE6-CA01E1A7035C}" = protocol=17 | dir=in | app=c:\program files\microsoft games\age of empires iii\age3.exe | "{2D7FD6B4-C267-4D58-A8D5-66790A31B42F}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | "{332F7BC8-0D60-4C4B-9A54-350864FD66A5}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | "{383C553A-0960-4D80-B0FD-66640F24F731}" = protocol=6 | dir=in | app=c:\program files\woodcutter simulator 2013\iupdate.dll | "{4CE21E39-B30B-4303-A4BC-81B79CE82533}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | "{513C21EC-2C5F-43B4-880F-2B8AC4F19E97}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | "{51594E13-2BF8-4D94-A00B-7A8773062D88}" = protocol=6 | dir=in | app=c:\program files\microsoft games\age of empires iii\age3.exe | "{586E6A13-21DB-442D-99B2-D8FE15B32765}" = protocol=6 | dir=out | app=system | "{5980C17C-3F9F-49B9-91C1-AF57E79B30E9}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{663A1AC0-A101-44BE-A04C-2120B2E697E9}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{67122DE6-DE46-4B66-8907-AD493C8E04E5}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | "{6ABB683C-91E7-47FC-8EB6-CB25602D340C}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | "{74DFDDB9-206D-48E3-A93C-C19FC06AD141}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | "{7E394048-09DF-46C9-93CD-3592CA2AF03E}" = protocol=17 | dir=in | app=c:\program files\woodcutter simulator 2013\woodcutter2013.dll | "{831BF245-FA4D-49B1-A52F-28622BF834C9}" = protocol=6 | dir=in | app=c:\program files\landwirtschafts simulator 2011\game.exe | "{91E378D5-315E-4BAB-84B3-089EA1C695DB}" = protocol=58 | dir=in | name=@hnetcfg.dll,-148 | "{923B50CC-2DD5-4674-B424-B3511E6FBE32}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{969039BF-3964-47EC-A943-72E19470F7C1}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | "{9AF3448A-0E4D-4EFE-8808-FC2215C3FFA1}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | "{A79AB58C-D5D3-48DF-AD18-F3C82EC4F6FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{A97D8670-6121-4259-8FF0-0B5FEF0A72F3}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe | "{AD26C3EB-8308-4FEA-9BC0-B823FE2F63C4}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | "{AF8A934A-395C-43D8-8DB5-FCDB34187B86}" = protocol=17 | dir=in | app=c:\program files\landwirtschafts simulator 2013\farmingsimulator2013.exe | "{B0BA9D01-7694-4E26-BBAE-DA3BB991114F}" = dir=out | svc=sharedaccess | app=%systemroot%\system32\svchost.exe | "{C81DF9C4-A3C4-441B-9509-10CC8F042839}" = protocol=6 | dir=in | app=c:\windows\system32\msiexec.exe | "{CE1D30CA-9CEA-424D-9DAB-04D8920E2060}" = protocol=6 | dir=in | app=c:\program files\woodcutter simulator 2013\woodcutter2013.dll | "{DA851F06-17CC-4AF7-A772-154FD2CED362}" = protocol=17 | dir=in | app=c:\program files\woodcutter simulator 2013\iupdate.dll | "{DACBE3C1-3D82-4415-AB51-790EE86CA572}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe | "{E166971C-13B9-4CFA-8B60-1714CE40C325}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | "{E9039C09-E92A-49ED-8F93-842A1E11E2EF}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | "{E9512C71-1F11-4F4E-A50D-916911BD13DE}" = protocol=6 | dir=in | app=c:\program files\landwirtschafts simulator 2013\farmingsimulator2013.exe | "{ED626596-493D-4EFC-8BBB-D24F4F1DF4B9}" = protocol=6 | dir=in | app=c:\program files\landwirtschafts simulator 2013\farmingsimulator2013game.exe | "{EDF43FEC-D404-48D2-B08F-D5290B25189C}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | "{F0591DCA-F49B-4BC8-BBE2-FEE9D652E21A}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | "{F69C03F0-50AA-41EE-AAA2-F832A8430539}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | "{FA6E50E6-86CA-457D-A6E3-756122C36F92}" = protocol=17 | dir=in | app=c:\windows\system32\msiexec.exe | "TCP Query User{0DEF862D-4C5A-4179-9BC0-277AC44B2D4E}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe | "TCP Query User{3D182DCD-72A6-4CDA-BBC0-92D437F8E355}C:\program files\microsoft games\age of empires ii\empires2.exe" = protocol=6 | dir=in | app=c:\program files\microsoft games\age of empires ii\empires2.exe | "TCP Query User{448532B0-85DE-4C0D-A726-314E88B13996}C:\windows\system32\taskhost.exe" = protocol=6 | dir=in | app=c:\windows\system32\taskhost.exe | "TCP Query User{61B1129E-5EEE-4944-9990-007FA5AAF830}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe | "TCP Query User{887759FA-CB7C-4F98-9E93-9301DB0075E4}C:\program files\google\google earth\client\googleearth.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe | "TCP Query User{A5245801-F2D7-41C3-9D15-83FD30327359}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe | "UDP Query User{17A01AD2-D692-48B7-AE7D-5C74A6AF4256}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe | "UDP Query User{2158A60C-5C84-40F7-AC8B-7D1D33F7A298}C:\program files\google\google earth\client\googleearth.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe | "UDP Query User{3F2293C7-9AC6-4BAF-9C23-32B977C031CE}C:\windows\system32\taskhost.exe" = protocol=17 | dir=in | app=c:\windows\system32\taskhost.exe | "UDP Query User{7B63AADE-D3C4-48E4-BED9-A1050D737C8D}C:\program files\microsoft games\age of empires ii\empires2.exe" = protocol=17 | dir=in | app=c:\program files\microsoft games\age of empires ii\empires2.exe | "UDP Query User{7FA70033-A8FB-435E-9207-FE272243F0CB}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe | "UDP Query User{B1D795FD-33D2-48B8-9F11-2F32E1DCA154}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{1280E900-35DA-4E08-A700-B79A5B2B8532}" = Microsoft Antimalware Service DE-DE Language Pack "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer "{1C4551A6-4743-4093-91E4-1477CD655043}" = NVIDIA PhysX "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer "{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 29 "{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{50779A29-834E-4E36-BBEB-B7CABC67A825}" = Microsoft Security Client DE-DE Language Pack "{52602542-6E1A-4002-AB4C-9A4391103507}" = O&O PartitionManager Professional "{52B97218-98CB-4B8B-9283-D213C85E1AA4}" = Windows Live Anmelde-Assistent "{537575D6-3B96-474C-BD8F-DFF667363DBD}" = Naviextras Toolbox Prerequesities "{581CE7EA-A30D-0000-1211-088635773309}" = MSI US54SE 802.11 b+g USB Stick "{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth "{70F8B183-99EB-4304-BA35-080E2DFFD2A3}" = Age of Empires III "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 "{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update "{904CCF62-818D-4675-BC76-D37EB399F917}" = Windows Mobile-Gerätecenter "{90A455A7-0FC8-4508-B7FA-8F135B8F041A}" = DSL-Manager "{923BC9EF-A7FC-4E6D-8056-F1534DFCE530}" = Steuer-Software 2011 "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{98EABC7F-B1A1-43A5-B505-5B4EC3908DCD}" = Microsoft Security Client "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 "{A00F8237-F496-44D2-0001-E3CCF8CD58AE}" = Photomizer "{A8CB4BF4-CD9C-49C0-92D2-7A85631C746D}_is1" = Baumaschinen Simulator 2011 Version 1.0 "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.4) - Deutsch "{AF805B23-DCB3-44D5-A9A8-B44C7A80C8D7}_is1" = Gabelstapler Simulator 2009 "{AFA42FE1-A5C3-485F-9180-BFCF5BF1F1C3}" = AAVUpdateManager "{C4D738F7-996A-4C81-B8FA-C4E26D767E41}" = Windows Live Mail "{C917BA70-28A3-4C74-B163-41FD8C8E1A5A}" = Stronghold "{CAFA57E8-8927-4912-AFCF-B0AA3837E989}" = Windows Live Essentials "{D596980D-17BE-4425-B8F0-5640719AADE9}" = LEGO® Star Wars™: The Complete Saga "{DFFC0648-BC4B-47D1-93D2-6CA6B9457641}" = OpenOffice.org 3.2 "{ECD03DA7-5952-406A-8156-5F0C93618D1F}" = USB PC Camera Plus "{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard "{F19178B7-F232-4E97-8511-E4D37A339E9C}" = Steuer-Software 2012 "{F4BBEF26-9D37-411F-B0E0-221C680F7B9B}" = TSDoctor "{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX "Age of Empires" = Microsoft Age of Empires "Age of Empires 2.0" = Microsoft Age of Empires II "Ashampoo Photo Commander 7_is1" = Ashampoo Photo Commander 7.60 "AutoBauDeinstKey" = Autos bauen mit Willy Werkel "Avira AntiVir Desktop" = Avira Free Antivirus "Content Manager 2" = Content Manager 2 "DemolitionCompanyDE_is1" = Demolition Company "Digital Editions" = Adobe Digital Editions "EPSON Printer and Utilities" = EPSON-Drucker-Software "Euro Truck Simulator" = Euro Truck Simulator 1.1 "FarmingSimulator2011DE_is1" = Landwirtschafts Simulator 2011 "FarmingSimulator2013DE_is1" = Landwirtschafts Simulator 2013 "Freemake Video Converter_is1" = Freemake Video Converter Version 3.2.1 "Google Chrome" = Google Chrome "HaaliMkx" = Haali Media Splitter "InstallShield_{70F8B183-99EB-4304-BA35-080E2DFFD2A3}" = Age of Empires III "InstallShield_{D596980D-17BE-4425-B8F0-5640719AADE9}" = LEGO® Star Wars™: Die Komplette Saga "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.65.1.1000 "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "Microsoft Security Client" = Microsoft Security Essentials "Mozilla Firefox 11.0 (x86 de)" = Mozilla Firefox 11.0 (x86 de) "PokerStars" = PokerStars "PriceGong" = PriceGong 2.6.2 "QuickTime" = QuickTime "SBMWW" = Schiffe bauen mit Willy Werkel "TKKG 9" = TKKG 9 "TweakNow RegCleaner 2011_is1" = TweakNow RegCleaner 2011 "WinLiveSuite_Wave3" = Windows Live Essentials "WinRAR archiver" = WinRAR "WLP2_is1" = Wildlife Park 2 - Farm World v2.1 "Woodcutter Simulator 2013" = Holzfäller Simulator 2013 ========== Last 20 Event Log Errors ========== [ Application Events ] Error - 30.11.2012 15:27:25 | Computer Name = Gieske-PC | Source = Application Hang | ID = 1002 Description = Programm wlmail.exe, Version 14.0.8117.416 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen. Prozess-ID: 8d4 Startzeit: 01cdcf3078c39ecb Endzeit: 16 Anwendungspfad: C:\Program Files\Windows Live\Mail\wlmail.exe Berichts-ID: ecfc7e3e-3b23-11e2-b143-00226869e1ea Error - 02.12.2012 04:50:10 | Computer Name = Gieske-PC | Source = Application Hang | ID = 1002 Description = Programm game.exe, Version 4.1.6.1 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen. Prozess-ID: 748 Startzeit: 01cdd066b7b35a43 Endzeit: 245 Anwendungspfad: C:\Program Files\Landwirtschafts Simulator 2011\game.exe Berichts-ID: 41981ccc-3c5d-11e2-9b35-00226869e1ea Error - 14.12.2012 06:26:20 | Computer Name = Gieske-PC | Source = Application Hang | ID = 1002 Description = Programm soffice.bin, Version 3.2.9498.500 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen. Prozess-ID: 94c Startzeit: 01cdd9dc74f160e6 Endzeit: 9 Anwendungspfad: C:\Program Files\OpenOffice.org 3\program\soffice.bin Berichts-ID: a11f32f7-45d8-11e2-b9b2-00226869e1ea Error - 14.12.2012 09:29:26 | Computer Name = Gieske-PC | Source = VSS | ID = 8194 Description = Error - 23.12.2012 19:14:24 | Computer Name = Gieske-PC | Source = Application Hang | ID = 1002 Description = Programm wmplayer.exe, Version 12.0.7601.17514 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen. Prozess-ID: 140 Startzeit: 01cde162f96269b8 Endzeit: 16 Anwendungspfad: C:\Program Files\Windows Media Player\wmplayer.exe Berichts-ID: Error - 23.12.2012 19:44:33 | Computer Name = Gieske-PC | Source = Windows Backup | ID = 4104 Description = Error - 24.12.2012 15:58:49 | Computer Name = Gieske-PC | Source = TS-Doctor | ID = 2134 Description = Error - 24.12.2012 15:58:51 | Computer Name = Gieske-PC | Source = Application Error | ID = 1000 Description = Name der fehlerhaften Anwendung: TSDoctor.exe, Version: 1.2.57.2901, Zeitstempel: 0x50cdd3d6 Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000 Ausnahmecode: 0xc0000005 Fehleroffset: 0x04a2f768 ID des fehlerhaften Prozesses: 0x1484 Startzeit der fehlerhaften Anwendung: 0x01cde2110d1d1b5e Pfad der fehlerhaften Anwendung: C:\Program Files\Cypheros\TSDoctor\TSDoctor.exe Pfad des fehlerhaften Moduls: unknown Berichtskennung: 5621038a-4e04-11e2-8b71-00226869e1ea Error - 26.12.2012 16:03:47 | Computer Name = Gieske-PC | Source = Microsoft-Windows-RestartManager | ID = 10006 Description = Die Anwendung oder der Dienst "Windows-Explorer" konnte nicht heruntergefahren werden. Error - 28.12.2012 06:29:25 | Computer Name = Gieske-PC | Source = VSS | ID = 8194 Description = [ System Events ] Error - 28.12.2012 11:40:45 | Computer Name = Gieske-PC | Source = ipnathlp | ID = 31004 Description = Error - 28.12.2012 12:46:05 | Computer Name = Gieske-PC | Source = atikmdag | ID = 52236 Description = CPLIB :: General - Invalid Parameter Error - 28.12.2012 12:46:05 | Computer Name = Gieske-PC | Source = atikmdag | ID = 43029 Description = Display is not active Error - 28.12.2012 14:26:16 | Computer Name = Gieske-PC | Source = atikmdag | ID = 43029 Description = Display is not active Error - 28.12.2012 14:26:27 | Computer Name = Gieske-PC | Source = ipnathlp | ID = 31004 Description = Error - 29.12.2012 02:55:46 | Computer Name = Gieske-PC | Source = atikmdag | ID = 52236 Description = CPLIB :: General - Invalid Parameter Error - 29.12.2012 02:55:46 | Computer Name = Gieske-PC | Source = atikmdag | ID = 43029 Description = Display is not active Error - 29.12.2012 03:31:42 | Computer Name = Gieske-PC | Source = atikmdag | ID = 52236 Description = CPLIB :: General - Invalid Parameter Error - 29.12.2012 03:31:42 | Computer Name = Gieske-PC | Source = atikmdag | ID = 43029 Description = Display is not active Error - 29.12.2012 03:32:24 | Computer Name = Gieske-PC | Source = ipnathlp | ID = 31004 Description = < End of report > GMER 1.0.15.15641 - hxxp://www.gmer.net Rootkit scan 2012-12-29 12:19:58 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3750528AS rev.CC44 Running: 3jn7se1i.exe; Driver: C:\Users\Gieske\AppData\Local\Temp\pgriapoc.sys ---- System - GMER 1.0.15 ---- SSDT 90B3197E ZwCreateSection SSDT 90B31988 ZwRequestWaitReplyPort SSDT 90B31983 ZwSetContextThread SSDT 90B3198D ZwSetSecurityObject SSDT 90B31992 ZwSystemDebugControl SSDT 90B3191F ZwTerminateProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 83248A49 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 832824D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 8328962C 4 Bytes [7E, 19, B3, 90] {JLE 0x1b; MOV BL, 0x90} .text ntkrnlpa.exe!KeRemoveQueueEx + 1553 83289988 4 Bytes [88, 19, B3, 90] {MOV [ECX], BL; MOV BL, 0x90} .text ntkrnlpa.exe!KeRemoveQueueEx + 1597 832899CC 4 Bytes [83, 19, B3, 90] {SBB DWORD [ECX], -0x4d; NOP } .text ntkrnlpa.exe!KeRemoveQueueEx + 1613 83289A48 4 Bytes [8D, 19, B3, 90] {LEA EBX, [ECX]; MOV BL, 0x90} .text ntkrnlpa.exe!KeRemoveQueueEx + 1667 83289A9C 4 Bytes [92, 19, B3, 90] .text ... .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9201B000, 0x2D5378, 0xE8000020] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [744B24CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [7449562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [744956EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [744B2546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [744A85AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [744A4D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [744A5105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [744A51DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [744A6707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [744A8301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [744A8850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [744A90B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [744AE254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [744A4C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Program Files\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe[1808] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7581FFF6] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation) IAT C:\Program Files\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe[1808] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7581FFF6] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation) IAT C:\Program Files\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe[1808] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7581FFF6] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation) IAT C:\Program Files\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe[1808] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7581FFF6] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation) IAT C:\Program Files\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe[1808] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [7581FFF6] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \Driver\ACPI_HAL \Device\00000049 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) ---- Threads - GMER 1.0.15 ---- Thread System [4:1484] 9E999F2E ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OOPM03.00.00.01PRO 5D58C566F90E9667CB9697C65318A8C86110B716643EACCA4B458A625417BAA5546AB77C4D4587CC6CD5C03CBF218491B752A801C5230A97342FA99B04A59C1AE6AEF8EFAA78B30125BC22 F77E3C9EC161F46C0FF0186F1A10014C09CFB67A0E9BB8F0A8F817E43F64225553AA2F4494D2B7EBA15CDACA28FDFD4E3C261A859159EE8B04BFA7AD7879B3761788D30875E6A89412A238 CDCB013B0E371C342FEE6C8CB7D3ACC2E1CE9B6F267FFB99BE04DD2D59A981936FC20122EEF268FBAF9DFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFE BC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B98088EDD5E5BE2F6E6675D575E7D6A3B9808A2D97226D213B555D490791B4D30260CD1E3EAA726CE5E6E379B64C7C7D1BC32798291D7 92C805B910E46C5059F82FC49D26F726CE15B03F1EA982757FD9C14E270D017EDC61C036C1316FF0555C2211C88E4E0A02116AD3D7E22502DD29BD20D4A51643155382E77FD18C7F58378C E48F81E903CFB0D8DE6ECFD6688D636238F5170F901D9A7B5BC278CF729E78406A9632C835EBF99044CE49281BD8C3225A5E82ABC47B439FD26BA94B368422D27FE6ABEC372E046721C7FE AC00321537FD485931B1597129C0BABC95298E4C20B4694BDD97137A79440FF37B6DAFBA1D4E5066681D845994CF57DFC89D64A245506FC325D3B99FA62 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2F709BF6-5D31-43B9-9DDA-BCCCF79A8F75} Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{BEAD2096-2814-41E0-AF79-3D70BC6918AF} Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2F709BF6-5D31-43B9-9DDA-BCCCF79A8F75} Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2F709BF6-5D31-43B9-9DDA-BCCCF79A8F75}@Path \Microsoft\Microsoft Antimalware\MpIdleTask Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2F709BF6-5D31-43B9-9DDA-BCCCF79A8F75}@Hash 0x55 0x9C 0x68 0x8C ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2F709BF6-5D31-43B9-9DDA-BCCCF79A8F75}@Triggers 0x15 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2F709BF6-5D31-43B9-9DDA-BCCCF79A8F75}@DynamicInfo 0x03 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BEAD2096-2814-41E0-AF79-3D70BC6918AF} Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BEAD2096-2814-41E0-AF79-3D70BC6918AF}@Path \Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BEAD2096-2814-41E0-AF79-3D70BC6918AF}@Hash 0xCC 0x66 0xBE 0x0A ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BEAD2096-2814-41E0-AF79-3D70BC6918AF}@Triggers 0x15 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BEAD2096-2814-41E0-AF79-3D70BC6918AF}@DynamicInfo 0x03 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan@Id {BEAD2096-2814-41E0-AF79-3D70BC6918AF} Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Microsoft Antimalware\MpIdleTask@Id {2F709BF6-5D31-43B9-9DDA-BCCCF79A8F75} ---- EOF - GMER 1.0.15 ---- alwarebytes Anti-Malware 1.65.1.1000 www.malwarebytes.org Datenbank Version: v2012.12.26.12 Windows 7 Service Pack 1 x86 NTFS Internet Explorer 9.0.8112.16421 Gieske :: GIESKE-PC [Administrator] 29.12.2012 10:59:51 mbam-log-2012-12-29 (10-59-51).txt Art des Suchlaufs: Quick-Scan Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 193461 Laufzeit: 3 Minute(n), 48 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 1 HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| (Trojan.0Access) -> Bösartig: (C:\$Recycle.Bin\S-1-5-21-132146776-3345195101-1586744503-1000\$725f51212ebffe7c6f8abfe6380e9f70\n.) Gut: (shell32.dll) -> Erfolgreich ersetzt und in Quarantäne gestellt. Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 3 C:\$Recycle.Bin\S-1-5-21-132146776-3345195101-1586744503-1000\$725f51212ebffe7c6f8abfe6380e9f70\n (Trojan.0Access) -> Löschen bei Neustart. C:\Users\Gieske\AppData\Local\Temp\msimg32.dll (Rootkit.0Access) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\Users\Gieske\AppData\Local\Temp\3706443.exe (Rootkit.0Access) -> Erfolgreich gelöscht und in Quarantäne gestellt. (Ende) |
| Themen zu tr/atraps.gen2 und andere Funde |
| anti maleware, antivir, autorun, avg, avira, bho, error, euro, firefox, flash player, format, home, homepage, install.exe, installation, logfile, maleware, malware, msiexec.exe, object, plug-in, recycle.bin, registry, rundll, scan, security, software, svchost.exe, udp, windows, windows-explorer |
Baum-Darstellung