Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung

Plagegeister aller Art und deren Bekämpfung: Infizierung durch Matsnu Trojaner von Groupon

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 14.03.2013, 21:27   #1
Dr.CaRsTeN
 
Infizierung durch Matsnu Trojaner von Groupon - Unglücklich

Infizierung durch Matsnu Trojaner von Groupon



Hallo zusammen.

Meine Freundin hat heute Abend eine angebliche Mail von Groupon bekommen, in der sie zu einer Vertragszahlung aufgefordert wurde. Unbedarfterweise hat sie die angehängte Zipdatei geöffnet, was jedoch keine sichtbaren Auswirkungen auf das (Windows /) System hatte.

Jetzt liefert aber Avira in regelmäßigen Abständen Warnmeldungen, dass der Trojaner TR/Matsnu.EB.130 gefunden wurde. Dieser lässt sich auch direkt in den Quarantäne Ordner verschieben und von dort aus löschen, aber nach kurzer Zeit taucht im gleichen Ordner wieder eine neue Datei mit dem gleichen Trojaner auf.
Einen Screenshot vom letzten Fund habe ich angehängt, falls das hilft.

Auf den ersten Blick wurden (noch?) keine Dateien verschlüsselt. Trotzdem bin ich natürlich sehr misstrauisch geworden, was die Sicherheit des Systems angeht.
Auf eine komplette Formatierung würde ich gerne verzichten, falls das irgendwie möglich ist.

ich habe schonmal vortreffliche Hilfe hier im Forum bekommen und hoffe jetzt, dass ihr mir bzw. meiner Freundin noch einmal helfen könnt.

Viele Grüße,
Carsten


PS: Ich habe den anderen Thread über den "Groupon Trojaner" hier im Forum gesehen, aber kenne mich leider nicht gut genug aus in dem Thema, um sicher zu sein, ob ich die Schitte alle genauso übernehmen kann.
Miniaturansicht angehängter Grafiken
Infizierung durch Matsnu Trojaner von Groupon-meldung.jpg  

Alt 15.03.2013, 11:46   #2
Dr.CaRsTeN
 
Infizierung durch Matsnu Trojaner von Groupon - Standard

Infizierung durch Matsnu Trojaner von Groupon



So, ich habe jetzt mal ein paar Tests begonnen und poste die Ergebnisse mal hierher.

Zunächst die Logdatei eines kompletten Malwarebytes Bericht:

Code:
ATTFilter
Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Datenbank Version: v2013.03.14.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
xxxxx :: xxxxxxxxx [Administrator]

15.03.2013 11:07:44
mbam-log-2013-03-15 (11-07-44).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|Q:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 351910
Laufzeit: 1 Stunde(n), 27 Minute(n), 52 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 1
C:\Users\xxxxx\AppData\Roaming\Qygyyc\alme.exe (Trojan.Ransom.ED) -> Löschen bei Neustart.

(Ende)
         

Während des Tests lieferte die Windows Firewall eine Anfrage, die ich mir nicht erklären konnte.
Einen Screenshot hänge ich an.

Nach einem Neustart folgen weitere Tests.
Miniaturansicht angehängter Grafiken
Infizierung durch Matsnu Trojaner von Groupon-firewallwarnung.jpg  
__________________


Alt 15.03.2013, 12:25   #3
Dr.CaRsTeN
 
Infizierung durch Matsnu Trojaner von Groupon - Standard

Infizierung durch Matsnu Trojaner von Groupon



Hier die beiden OTL Logfiles:

Code:
ATTFilter
OTL logfile created on: 15.03.2013 12:56:27 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\xxxxx\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,86 Gb Total Physical Memory | 2,08 Gb Available Physical Memory | 54,06% Memory free
7,71 Gb Paging File | 5,58 Gb Available in Paging File | 72,34% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 450,66 Gb Total Space | 392,77 Gb Free Space | 87,15% Space Free | Partition Type: NTFS
 
Computer Name: xxxxx-PC | User Name: xxxxx | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC -  File not found
PRC - C:\Users\xxxxx\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe (McAfee, Inc.)
PRC - C:\Users\xxxxx\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.exe (Microsoft Corporation.)
PRC - C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation)
PRC - C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation)
PRC - C:\Program Files (x86)\Acer\Registration\GREGsvc.exe (Acer Incorporated)
PRC - C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe (NTI Corporation)
PRC - C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe (NTI Corporation)
PRC - C:\Programme\Acer\Acer Updater\UpdaterService.exe (Acer Incorporated)
PRC - C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe (Acer Incorporated)
PRC - C:\Program Files (x86)\Launch Manager\LMutilps32.exe (Dritek System Inc.)
PRC - C:\Program Files (x86)\Launch Manager\LMworker.exe (Dritek System Inc.)
PRC - C:\Program Files (x86)\Launch Manager\LManager.exe (Dritek System Inc.)
PRC - C:\Program Files (x86)\Launch Manager\dsiwmis.exe (Dritek System Inc.)
PRC - C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
PRC - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe (Realsil Microelectronics Inc.)
PRC - C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe (Renesas Electronics Corporation)
PRC - C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe ()
PRC - C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe (Acer Incorporated)
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Program Files (x86)\Mozilla Firefox\mozjs.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\cb562e2e4f74ae607f1186f6ec50cec7\System.Windows.Forms.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\27649bdc3da750e2e072dedbff56cc0b\IAStorUtil.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorCommon\09a468fb987e5a5f345346b0910c89ca\IAStorCommon.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\90b89f6e8032310e9ac72a309fd49e83\System.Runtime.Remoting.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\eead6629e384a5b69f9ae35284b7eeed\System.Drawing.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\cf827fe7bc99d9bcf0ba3621054ef527\WindowsBase.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\f687c43e9fdec031988b33ae722c4613\System.Xml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\195a77fcc6206f8bb35d419ff2cf0d72\System.Configuration.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\369f8bdca364e2b4936d18dea582912c\System.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7150b9136fad5b79e88f6c7f9d3d2c39\mscorlib.ni.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting.resources\2.0.0.0_de_b77a5c561934e089\System.Runtime.Remoting.resources.dll ()
MOD - C:\Program Files (x86)\NTI\Acer Backup Manager\sqlite3.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_de_b77a5c561934e089\mscorlib.resources.dll ()
MOD - C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe ()
 
 
========== Services (SafeList) ==========
 
SRV:64bit: - (CxAudMsg) -- C:\Windows\SysNative\CxAudMsg64.exe (Conexant Systems Inc.)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MozillaMaintenance) -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (McComponentHostService) -- C:\Program Files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe (McAfee, Inc.)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (MBAMService) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MBAMScheduler) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
SRV - (SkypeUpdate) -- C:\Program Files (x86)\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (AntiVirSchedulerService) -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
SRV - (AntiVirService) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
SRV - (BBUpdate) -- C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe (Microsoft Corporation.)
SRV - (BBSvc) -- C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.exe (Microsoft Corporation.)
SRV - (sftvsa) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation)
SRV - (sftlist) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation)
SRV - (FLEXnet Licensing Service) -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.)
SRV - (GREGService) -- C:\Program Files (x86)\Acer\Registration\GREGsvc.exe (Acer Incorporated)
SRV - (ePowerSvc) -- C:\Programme\Acer\Acer ePower Management\ePowerSvc.exe (Acer Incorporated)
SRV - (NTI IScheduleSvc) -- C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe (NTI Corporation)
SRV - (Live Updater Service) -- C:\Programme\Acer\Acer Updater\UpdaterService.exe (Acer Incorporated)
SRV - (DsiWMIService) -- C:\Program Files (x86)\Launch Manager\dsiwmis.exe (Dritek System Inc.)
SRV - (CVPND) -- C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
SRV - (AtherosSvc) -- C:\Program Files (x86)\Bluetooth Suite\adminservice.exe (Atheros Commnucations)
SRV - (UNS) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation)
SRV - (LMS) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation)
SRV - (IAStorDataMgrSvc) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation)
SRV - (IconMan_R) -- C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe (Realsil Microelectronics Inc.)
SRV - (wlcrasvc) -- C:\Programme\Windows Live\Mesh\wlcrasvc.exe (Microsoft Corporation)
SRV - (wlidsvc) -- C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE (Microsoft Corp.)
SRV - (HPSLPSVC) -- C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL (Hewlett-Packard Co.)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (RS_Service) -- C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe (Acer Incorporated)
SRV - (osppsvc) -- C:\Programme\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - (MBAMProtector) -- C:\Windows\SysNative\drivers\mbam.sys (Malwarebytes Corporation)
DRV:64bit: - (avipbb) -- C:\Windows\SysNative\drivers\avipbb.sys (Avira GmbH)
DRV:64bit: - (avgntflt) -- C:\Windows\SysNative\drivers\avgntflt.sys (Avira GmbH)
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (Sftvol) -- C:\Windows\SysNative\drivers\Sftvollh.sys (Microsoft Corporation)
DRV:64bit: - (Sftplay) -- C:\Windows\SysNative\drivers\Sftplaylh.sys (Microsoft Corporation)
DRV:64bit: - (Sftredir) -- C:\Windows\SysNative\drivers\Sftredirlh.sys (Microsoft Corporation)
DRV:64bit: - (Sftfs) -- C:\Windows\SysNative\drivers\Sftfslh.sys (Microsoft Corporation)
DRV:64bit: - (avkmgr) -- C:\Windows\SysNative\drivers\avkmgr.sys (Avira GmbH)
DRV:64bit: - (igfx) -- C:\Windows\SysNative\drivers\igdkmd64.sys (Intel Corporation)
DRV:64bit: - (CnxtHdAudService) -- C:\Windows\SysNative\drivers\CHDRT64.sys (Conexant Systems Inc.)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (NTIDrvr) -- C:\Windows\SysNative\drivers\NTIDrvr.sys (NTI Corporation)
DRV:64bit: - (UBHelper) -- C:\Windows\SysNative\drivers\UBHelper.sys (NTI Corporation)
DRV:64bit: - (CVPNDRVA) -- C:\Windows\SysNative\drivers\CVPNDRVA.sys ()
DRV:64bit: - (BtFilter) -- C:\Windows\SysNative\drivers\btfilter.sys (Atheros)
DRV:64bit: - (BTATH_RCP) -- C:\Windows\SysNative\drivers\btath_rcp.sys (Atheros)
DRV:64bit: - (BTATH_LWFLT) -- C:\Windows\SysNative\drivers\btath_lwflt.sys (Atheros)
DRV:64bit: - (BTATH_A2DP) -- C:\Windows\SysNative\drivers\btath_a2dp.sys (Atheros)
DRV:64bit: - (BTATH_HCRP) -- C:\Windows\SysNative\drivers\btath_hcrp.sys (Atheros)
DRV:64bit: - (AthBTPort) -- C:\Windows\SysNative\drivers\btath_flt.sys (Atheros)
DRV:64bit: - (BTATH_BUS) -- C:\Windows\SysNative\drivers\btath_bus.sys (Atheros)
DRV:64bit: - (SynTP) -- C:\Windows\SysNative\drivers\SynTP.sys (Synaptics Incorporated)
DRV:64bit: - (iaStor) -- C:\Windows\SysNative\drivers\iaStor.sys (Intel Corporation)
DRV:64bit: - (RSPCIESTOR) -- C:\Windows\SysNative\drivers\RtsPStor.sys (Realtek Semiconductor Corp.)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (TsUsbGD) -- C:\Windows\SysNative\drivers\TsUsbGD.sys (Microsoft Corporation)
DRV:64bit: - (L1C) -- C:\Windows\SysNative\drivers\L1C62x64.sys (Atheros Communications, Inc.)
DRV:64bit: - (MEIx64) -- C:\Windows\SysNative\drivers\HECIx64.sys (Intel Corporation)
DRV:64bit: - (IntcDAud) -- C:\Windows\SysNative\drivers\IntcDAud.sys (Intel(R) Corporation)
DRV:64bit: - (nusb3xhc) -- C:\Windows\SysNative\drivers\nusb3xhc.sys (Renesas Electronics Corporation)
DRV:64bit: - (nusb3hub) -- C:\Windows\SysNative\drivers\nusb3hub.sys (Renesas Electronics Corporation)
DRV:64bit: - (athr) -- C:\Windows\SysNative\drivers\athrx.sys (Atheros Communications, Inc.)
DRV:64bit: - (CVirtA) -- C:\Windows\SysNative\drivers\CVirtA64.sys (Cisco Systems, Inc.)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (StillCam) -- C:\Windows\SysNative\drivers\serscan.sys (Microsoft Corporation)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (DNE) -- C:\Windows\SysNative\drivers\dne64x.sys (Deterministic Networks, Inc.)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer.msn.com
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://acer.msn.com
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer.msn.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://acer.msn.com
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-1480892100-3287089332-176741844-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer.msn.com
IE - HKU\S-1-5-21-1480892100-3287089332-176741844-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://acer.msn.com
IE - HKU\S-1-5-21-1480892100-3287089332-176741844-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1480892100-3287089332-176741844-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de"
FF - prefs.js..extensions.enabledAddons: %7BD4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389%7D:0.9.10
FF - prefs.js..extensions.enabledAddons: donottrackplus%40abine.com:2.2.6.110
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:19.0.2
 
 
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_6_602_180.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.4.1: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.4.1: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/McAfeeMssPlugin: C:\Program Files (x86)\McAfee Security Scan\3.0.318\npMcAfeeMss.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Users\xxxxx\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011.10.12 16:40:55 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 19.0.2\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013.03.08 07:58:59 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 19.0.2\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.4\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2013.03.12 10:17:22 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.4\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011.10.12 16:40:55 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 19.0.2\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013.03.08 07:58:59 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 19.0.2\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Thunderbird 17.0.4\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2013.03.12 10:17:22 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Thunderbird 17.0.4\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins
 
[2011.10.10 14:45:01 | 000,000,000 | ---D | M] (No name found) -- C:\Users\xxxxx\AppData\Roaming\mozilla\Extensions
[2013.02.14 12:00:25 | 000,000,000 | ---D | M] (No name found) -- C:\Users\xxxxx\AppData\Roaming\mozilla\Firefox\Profiles\fo02bgq9.default\extensions
[2013.02.14 12:00:25 | 000,000,000 | ---D | M] (DoNotTrackMe) -- C:\Users\xxxxx\AppData\Roaming\mozilla\Firefox\Profiles\fo02bgq9.default\extensions\donottrackplus@abine.com
[2013.02.14 10:27:56 | 000,817,280 | ---- | M] () (No name found) -- C:\Users\xxxxx\AppData\Roaming\mozilla\firefox\profiles\fo02bgq9.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2011.10.29 22:57:10 | 000,434,392 | ---- | M] () (No name found) -- C:\Users\xxxxx\AppData\Roaming\mozilla\firefox\profiles\fo02bgq9.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}.xpi
[2013.02.12 06:55:59 | 000,007,919 | ---- | M] () (No name found) -- C:\Users\xxxxx\AppData\Roaming\mozilla\firefox\profiles\fo02bgq9.default\extensions\donottrackplus@abine.com\chrome\content\ff\view_expiry.js
[2013.03.08 07:58:54 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions
[2013.03.08 07:58:59 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012.06.23 15:57:29 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.09.09 11:34:40 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012.06.23 15:57:29 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml
[2012.06.23 15:57:29 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.06.23 15:57:29 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.06.23 15:57:29 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2009.06.10 22:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
O2 - BHO: (MSS+ Identifier) - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files (x86)\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll (McAfee, Inc.)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (CIESpeechBHO Class) - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll (Atheros Commnucations)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:64bit: - HKLM..\Run: [AthBtTray] C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe (Atheros Commnucations)
O4:64bit: - HKLM..\Run: [AtherosBtStack] C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe (Atheros Communications)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Power Management] C:\Programme\Acer\Acer ePower Management\ePowerTray.exe (Acer Incorporated)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [BackupManagerTray] C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe (NTI Corporation)
O4 - HKLM..\Run: [Dolby Home Theater v4] C:\Dolby PCEE4\pcee4.exe (Dolby Laboratories Inc.)
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
O4 - HKLM..\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [NUSB3MON] C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe (Renesas Electronics Corporation)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1480892100-3287089332-176741844-1001..\Run: [Facebook Update] C:\Users\xxxxx\AppData\Local\Facebook\Update\FacebookUpdate.exe (Facebook Inc.)
O4 - HKU\S-1-5-21-1480892100-3287089332-176741844-1001..\Run: [kjbnutye] C:\Users\xxxxx\Bpcrkpilfoq\fmkcfutye.exe (ARM Limited)
O4 - HKU\S-1-5-21-1480892100-3287089332-176741844-1001..\Run: [Opige] C:\Users\xxxxx\AppData\Roaming\Qygyyc\alme.exe File not found
O4 - HKU\S-1-5-21-1480892100-3287089332-176741844-1001..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe File not found
O4 - HKU\S-1-5-21-1480892100-3287089332-176741844-1001..\Run: [userft] "C:\Users\xxxxx\AppData\Roaming\userft.exe" -autorun File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - Startup: C:\Users\xxxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\xxxxx\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9:64bit: - Extra 'Tools' menuitem : Send by Bluetooth to - {7815BE26-237D-41A8-A98F-F7BD75F71086} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : Send by Bluetooth to - {7815BE26-237D-41A8-A98F-F7BD75F71086} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll (Atheros Commnucations)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000008 [] - C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 10.4.1)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 10.4.1)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{710CFF55-3618-4361-89AE-DA85859F823D}: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013.03.15 12:55:30 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\xxxxx\Desktop\OTL.exe
[2013.03.15 11:08:58 | 000,000,000 | ---D | C] -- C:\Users\xxxxx\AppData\Roaming\Xoysba
[2013.03.15 11:08:58 | 000,000,000 | ---D | C] -- C:\Users\xxxxx\AppData\Roaming\Qygyyc
[2013.03.15 11:08:58 | 000,000,000 | ---D | C] -- C:\Users\xxxxx\AppData\Roaming\Cyqeb
[2013.03.15 11:06:38 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2013.03.15 11:06:38 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2013.03.15 11:06:37 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2013.03.15 11:06:36 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2013.03.15 11:06:36 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2013.03.15 11:06:36 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2013.03.15 11:06:36 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2013.03.15 11:06:36 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2013.03.15 11:06:35 | 002,312,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2013.03.15 11:06:35 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2013.03.15 11:06:35 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2013.03.15 11:06:34 | 000,729,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2013.03.15 11:06:33 | 000,717,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2013.03.15 11:06:33 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2013.03.15 11:06:32 | 000,816,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2013.03.15 11:06:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
[2013.03.15 11:04:15 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2013.03.15 11:04:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Silverlight
[2013.03.14 21:04:52 | 000,000,000 | ---D | C] -- C:\Users\xxxxx\Bpcrkpilfoq
[2013.03.12 10:17:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Thunderbird
[2013.03.08 07:58:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
[2013.02.28 10:05:04 | 002,284,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msmpeg2vdec.dll
[2013.02.28 10:05:03 | 002,776,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msmpeg2vdec.dll
[2013.02.28 10:05:02 | 000,221,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\UIAnimation.dll
[2013.02.28 10:05:02 | 000,187,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\UIAnimation.dll
[2013.02.28 10:04:54 | 000,465,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WMPhoto.dll
[2013.02.28 10:04:54 | 000,417,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\WMPhoto.dll
[2013.02.28 10:04:44 | 000,010,752 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
[2013.02.28 10:04:44 | 000,010,752 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-advapi32-l1-1-0.dll
[2013.02.28 10:04:44 | 000,009,728 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
[2013.02.28 10:04:44 | 000,009,728 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-shlwapi-l1-1-0.dll
[2013.02.28 10:04:44 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
[2013.02.28 10:04:44 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-advapi32-l2-1-0.dll
[2013.02.28 10:04:44 | 000,002,560 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
[2013.02.28 10:04:43 | 000,194,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10_1.dll
[2013.02.28 10:04:43 | 000,002,560 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-normaliz-l1-1-0.dll
[2013.02.28 10:04:42 | 002,565,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10warp.dll
[2013.02.28 10:04:42 | 000,522,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\XpsGdiConverter.dll
[2013.02.28 10:04:41 | 000,364,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\XpsGdiConverter.dll
[2013.02.28 10:04:41 | 000,005,632 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
[2013.02.28 10:04:41 | 000,005,632 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-shlwapi-l2-1-0.dll
[2013.02.28 10:04:41 | 000,005,632 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll
[2013.02.28 10:04:41 | 000,005,632 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-ole32-l1-1-0.dll
[2013.02.28 10:04:41 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll
[2013.02.28 10:04:41 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-user32-l1-1-0.dll
[2013.02.28 10:04:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll
[2013.02.28 10:04:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-version-l1-1-0.dll
[2013.02.28 10:04:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll
[2013.02.28 10:04:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-shell32-l1-1-0.dll
[2013.02.28 10:04:40 | 001,504,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3d11.dll
[2013.02.28 10:04:40 | 000,648,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10level9.dll
[2013.02.28 10:04:40 | 000,363,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dxgi.dll
[2013.02.28 10:04:40 | 000,333,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10_1core.dll
[2013.02.28 10:04:40 | 000,296,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10core.dll
[2013.02.28 10:04:39 | 001,887,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d11.dll
[2013.02.28 10:04:39 | 001,682,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\XpsPrint.dll
[2013.02.28 10:04:39 | 001,238,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10.dll
[2013.02.28 10:04:39 | 001,158,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\XpsPrint.dll
[2013.02.28 10:04:38 | 001,643,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\DWrite.dll
[2013.02.28 10:04:38 | 000,245,248 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WindowsCodecsExt.dll
[2013.02.28 10:04:37 | 003,928,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d2d1.dll
[2013.02.28 10:04:37 | 001,424,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WindowsCodecs.dll
[2013.02.13 23:20:23 | 005,553,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2013.02.13 23:20:23 | 003,967,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
[2013.02.13 23:20:22 | 003,913,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
[2013.02.13 23:19:00 | 000,215,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winsrv.dll
[2013.02.13 23:19:00 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\setup16.exe
[2013.02.13 23:19:00 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntvdm64.dll
[2013.02.13 23:19:00 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\instnm.exe
[2013.02.13 23:19:00 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wow32.dll
[2013.02.13 23:18:59 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\user.exe
[2013.02.13 23:18:39 | 000,288,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\FWPKCLNT.SYS
[3 C:\Users\xxxxx\Desktop\*.tmp files -> C:\Users\xxxxx\Desktop\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013.03.15 12:56:55 | 000,016,752 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013.03.15 12:56:55 | 000,016,752 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013.03.15 12:55:33 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\xxxxx\Desktop\OTL.exe
[2013.03.15 12:49:32 | 000,000,035 | ---- | M] () -- C:\Users\Public\Documents\AtherosServiceConfig.ini
[2013.03.15 12:49:22 | 000,001,104 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013.03.15 12:48:05 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013.03.15 12:48:01 | 3104,722,944 | -HS- | M] () -- C:\hiberfil.sys
[2013.03.15 12:18:01 | 000,001,108 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013.03.15 12:17:03 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013.03.15 11:59:02 | 000,001,138 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1480892100-3287089332-176741844-1001UA.job
[2013.03.15 11:13:31 | 000,076,649 | ---- | M] () -- C:\Users\xxxxx\Desktop\FirewallWarnung.jpg
[2013.03.15 00:30:15 | 000,001,116 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1480892100-3287089332-176741844-1001Core.job
[2013.03.14 22:18:32 | 000,029,907 | ---- | M] () -- C:\Users\xxxxx\Desktop\Meldung.jpg
[2013.03.13 13:17:19 | 000,693,976 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2013.03.13 13:17:19 | 000,073,432 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2013.02.14 11:00:48 | 000,297,712 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2013.02.14 10:35:41 | 001,522,246 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013.02.14 10:35:41 | 000,654,844 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
[2013.02.14 10:35:41 | 000,616,686 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013.02.14 10:35:41 | 000,130,426 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
[2013.02.14 10:35:41 | 000,106,808 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[3 C:\Users\xxxxx\Desktop\*.tmp files -> C:\Users\xxxxx\Desktop\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013.03.15 11:13:30 | 000,076,649 | ---- | C] () -- C:\Users\xxxxx\Desktop\FirewallWarnung.jpg
[2013.03.14 22:18:31 | 000,029,907 | ---- | C] () -- C:\Users\xxxxx\Desktop\Meldung.jpg
[2013.01.08 07:03:09 | 000,000,303 | ---- | C] () -- C:\Windows\wininit.ini
[2012.05.21 10:12:31 | 000,001,025 | ---- | C] () -- C:\Windows\SysWow64\sysprs7.dll
[2012.05.21 10:12:31 | 000,000,205 | ---- | C] () -- C:\Windows\SysWow64\lsprst7.dll
[2011.10.19 10:33:05 | 001,526,948 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011.10.12 16:38:10 | 000,262,546 | ---- | C] () -- C:\Windows\hpwins23.dat
[2011.10.12 16:38:10 | 000,002,075 | ---- | C] () -- C:\Windows\hpwmdl23.dat
[2011.06.09 08:36:27 | 000,066,856 | ---- | C] () -- C:\Windows\SysWow64\SynTPEnhPS.dll
[2011.06.09 08:35:53 | 000,963,116 | ---- | C] () -- C:\Windows\SysWow64\igkrng600.bin
[2011.06.09 08:35:52 | 000,214,760 | ---- | C] () -- C:\Windows\SysWow64\igfcg600m.bin
[2011.06.09 08:35:51 | 000,056,832 | ---- | C] () -- C:\Windows\SysWow64\igdde32.dll
[2011.06.09 08:35:50 | 000,145,804 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng600.bin
[2011.06.09 08:35:49 | 013,355,008 | ---- | C] () -- C:\Windows\SysWow64\ig4icd32.dll
[2011.06.09 08:15:07 | 000,131,984 | ---- | C] () -- C:\ProgramData\FullRemove.exe
 
========== ZeroAccess Check ==========
 
[2009.07.14 05:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012.06.09 06:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 05:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 02:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.21 04:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 02:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 142 bytes -> C:\ProgramData\Temp:5925E400

< End of report >
         

Code:
ATTFilter
OTL Extras logfile created on: 15.03.2013 12:56:27 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\xxxxx\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,86 Gb Total Physical Memory | 2,08 Gb Available Physical Memory | 54,06% Memory free
7,71 Gb Paging File | 5,58 Gb Available in Paging File | 72,34% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 450,66 Gb Total Space | 392,77 Gb Free Space | 87,15% Space Free | Partition Type: NTFS
 
Computer Name: xxxxx-PC | User Name: xxxxx | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
 
[HKEY_USERS\S-1-5-21-1480892100-3287089332-176741844-1001\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01  [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{04A7B501-FD6F-4A69-AE21-1057B744A71B}" = lport=138 | protocol=17 | dir=in | app=system | 
"{06765592-AEBD-4140-82E5-52FDAC6F95BA}" = rport=139 | protocol=6 | dir=out | app=system | 
"{15BCEA2C-F1D4-4FB8-BCB8-EC5844A135FA}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{17C44204-59E4-4F93-8038-2BA28185403B}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{19BCE7BF-0D90-47FC-A08D-9CA2481FC0FB}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{1D150150-9E22-4847-B08B-B70461A377E0}" = rport=10243 | protocol=6 | dir=out | app=system | 
"{1F64BC9D-B7BC-4540-8F5B-89B2C828F2B3}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{2542B2CF-073F-4907-BA57-4FDFDF3B145C}" = rport=138 | protocol=17 | dir=out | app=system | 
"{2A5F9077-57A8-4FC2-A20E-F96D929488D9}" = lport=137 | protocol=17 | dir=in | app=system | 
"{2E2B199C-24D7-4BFD-9C7A-A51FCBDBF4DD}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{651E082A-3A99-4A84-A853-BDFF60E73ED0}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | 
"{68CE0A04-1213-4DD9-A4CB-3E252A6C9BC6}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) | 
"{76C74D2C-7157-4D80-8FA7-422BA8A5207E}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{AB68A9C0-6B2C-48D4-983C-C1FB666EBB8A}" = lport=139 | protocol=6 | dir=in | app=system | 
"{B86A61B3-D0C5-41E6-B4C4-049ADBA4BBF0}" = rport=137 | protocol=17 | dir=out | app=system | 
"{B870EB96-1C80-489A-A725-5F614D5FC91A}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{B92FDDE8-9386-43A2-B894-B1EAEF5207F4}" = rport=427 | protocol=17 | dir=in | svc=hpslpsvc | app=c:\windows\system32\svchost.exe | 
"{BB05CBDA-383E-446F-B11E-C992D0C8D138}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | 
"{BB3C1922-0974-4AA9-AAFE-981B50DAF5E1}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) | 
"{C7EE0F4E-42EF-4D1A-B80F-888EE15878D5}" = lport=445 | protocol=6 | dir=in | app=system | 
"{CD495B0A-7D7D-4A65-B2F7-D0F4A0FE43BA}" = lport=2869 | protocol=6 | dir=in | app=system | 
"{D3FE40D3-2E24-410D-8F50-17AB07AFC2D3}" = lport=10243 | protocol=6 | dir=in | app=system | 
"{DBFA9B4D-9CAD-48B0-908F-C7A08B9E0325}" = rport=445 | protocol=6 | dir=out | app=system | 
"{EBDA6B59-4B0D-477A-BCAD-F306320EBC8E}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0676C4D1-151E-4D05-AF6E-C80F76D7FC0C}" = dir=in | app=c:\program files (x86)\acer\acer vcm\rs_service.exe | 
"{0A142BCF-8243-4102-B0CD-56F4F9674BF4}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{0C506629-6794-415F-962D-6932B8883857}" = dir=in | app=c:\program files (x86)\hp\hp software update\hpwucli.exe | 
"{147560BA-2FA4-4E20-9460-9C44E6AE01C2}" = protocol=6 | dir=in | app=c:\users\xxxxx\appdata\roaming\dropbox\bin\dropbox.exe | 
"{1988A297-4F41-4A91-95E4-74105EF5B55B}" = dir=in | app=c:\program files (x86)\windows live\contacts\wlcomm.exe | 
"{19F66BAE-A4A5-4F90-9494-6646A76074B1}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpofxs08.exe | 
"{201012C3-EAB6-4C75-9F1B-7555D58067BD}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe | 
"{2352EA1A-53A4-4112-A794-88104AF10ABC}" = dir=in | app=c:\users\xxxxx\appdata\local\facebook\video\skype\facebookvideocalling.exe | 
"{27DCC1E8-BDAE-47FC-9C97-0624178C34A2}" = dir=in | app=c:\program files (x86)\hp\digital imaging\smart web printing\smartwebprintexe.exe | 
"{303C77F1-970A-456E-91B3-CA855B04D4B6}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{33B18FC4-A013-4137-BC1A-14F271E29DDF}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{38A7737E-D208-408F-9A90-564BEDBB1566}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{3ACD0411-CDC7-4956-9595-9DB768BFF58B}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqgplgtupl.exe | 
"{3B248FF3-2C4B-4A20-9610-835CFD6A39A1}" = dir=in | app=c:\users\xxxxx\appdata\local\temp\7zs6c81\oj6500ve709_full_14\setup\hpznui40.exe | 
"{3E714AA5-68D8-4172-9412-3168FAEC5749}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqtra08.exe | 
"{4EAED004-FFE4-442A-B957-F2AD990931A0}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{4FEB33A3-7F01-4FDC-A675-B49EAE8232DB}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpoews01.exe | 
"{52583D48-67FA-4647-AF7A-1B9DC6856AAD}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqusgm.exe | 
"{552F75DF-3581-42CB-8E77-90D2FCD71FA1}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpiscnapp.exe | 
"{557F0F61-8243-4DBB-8968-64D022982BD0}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | 
"{584C436F-31BA-4F39-85BB-B6E1A1EC8BD1}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpfccopy.exe | 
"{5AC7303C-8320-4D17-A2B1-BBC95E3EA1D7}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqste08.exe | 
"{5FF01F7D-07EC-49CA-A349-6416D12D9E09}" = protocol=6 | dir=out | app=system | 
"{60B1EDC6-A1AE-4D30-8424-BA3E47C6A43C}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{6FFCF433-02C0-4DF6-B598-49B6073B5608}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{71BFE7D9-ABBB-4052-B3C7-30B05207C2DB}" = protocol=17 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe | 
"{79B77EA3-F328-463B-8782-274193EB7FF8}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | 
"{7A7D18AC-B26C-45B2-91D5-E25B7F05157A}" = dir=in | app=c:\program files (x86)\windows live\mesh\moe.exe | 
"{87D0BDB1-6A23-4B69-B52B-22CDAF2BC667}" = dir=in | app=c:\program files (x86)\acer\acer vcm\vc.exe | 
"{910B68F0-1E23-4D4B-B78A-358B9927D680}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqkygrp.exe | 
"{A841FB60-BB2E-47DC-BC62-EDDE48E293A7}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hposfx08.exe | 
"{AF34E259-FA14-4C83-A951-B34CE5170EC5}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | 
"{BDC3263D-167F-4964-99AC-777CFBFC36AF}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpzwiz01.exe | 
"{BF6248C7-43B7-43A7-9845-F9AC7D66D0E2}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{C0D434AF-A066-47B4-AEDF-21113394D0FF}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{CA492375-0D9F-4E51-9144-49A3F06E8CC9}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{CF62964E-05A5-4E17-A485-76BD69B03442}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqfxt08.exe | 
"{D3C53138-DBDA-4F42-9C90-5C50B75CCC6C}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{D9341060-A7DD-4E4A-A796-62043206A724}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | 
"{D9FF2C53-6B21-4553-85C3-5E22726B07FB}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqgpc01.exe | 
"{DA7DE859-C5ED-4E04-927A-C518F1BE9CEE}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{E451533B-B2C4-49D1-B974-C00655125A5C}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hposid01.exe | 
"{E73179DA-0A81-48AC-8B1F-305893C440B7}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqusgh.exe | 
"{EA1A0A64-4196-4503-94CC-CD6B7A7F478D}" = protocol=6 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe | 
"{EE355B59-E3AC-4AD1-BD56-A9050F43776C}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe | 
"{F042498C-CB49-4108-BD70-A74B0DCA0A36}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpofxm08.exe | 
"{F7B81029-003E-4799-B34A-2AEBA36F620E}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | 
"{FC12867F-E0B8-45F1-A1CD-FC0C291C7420}" = protocol=17 | dir=in | app=c:\users\xxxxx\appdata\roaming\dropbox\bin\dropbox.exe | 
"{FD892798-9BFE-49AA-9BF7-5279BCE79589}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"TCP Query User{1A2EEF3C-D0A9-450A-BFE9-59056FB6D6AF}C:\users\xxxxx\appdata\roaming\qygyyc\alme.exe" = protocol=6 | dir=in | app=c:\users\xxxxx\appdata\roaming\qygyyc\alme.exe | 
"TCP Query User{4FEB6648-48EE-4943-8D4D-2AA07A047A2C}C:\program files\ibm\spss\statistics\20\jre\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files\ibm\spss\statistics\20\jre\bin\javaw.exe | 
"TCP Query User{5A2A6A78-7D38-4051-820C-FAA1B862A693}C:\users\xxxxx\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=6 | dir=in | app=c:\users\xxxxx\appdata\roaming\dropbox\bin\dropbox.exe | 
"TCP Query User{91D5DBA1-4AE0-4D39-867F-7FCED3190C9B}C:\program files\ibm\spss\statistics\20\stats.exe" = protocol=6 | dir=in | app=c:\program files\ibm\spss\statistics\20\stats.exe | 
"TCP Query User{EEE63673-7265-4B76-B070-D37381BB4DD1}C:\program files\ibm\spss\statistics\20\jre\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files\ibm\spss\statistics\20\jre\bin\javaw.exe | 
"UDP Query User{1E4685A0-E6BA-46B6-853D-44E3E0CE47FB}C:\program files\ibm\spss\statistics\20\stats.exe" = protocol=17 | dir=in | app=c:\program files\ibm\spss\statistics\20\stats.exe | 
"UDP Query User{2E5A3611-9B8D-420F-ACCD-8AAF13927C13}C:\program files\ibm\spss\statistics\20\jre\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files\ibm\spss\statistics\20\jre\bin\javaw.exe | 
"UDP Query User{4B6DE7E7-EB5D-402A-8BBD-DCC57BB40590}C:\users\xxxxx\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=17 | dir=in | app=c:\users\xxxxx\appdata\roaming\dropbox\bin\dropbox.exe | 
"UDP Query User{5AA2FEC0-05CD-4220-86DB-765E1AFA18DE}C:\program files\ibm\spss\statistics\20\jre\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files\ibm\spss\statistics\20\jre\bin\javaw.exe | 
"UDP Query User{9181BBEC-5F96-4E05-B09C-DA81806C3246}C:\users\xxxxx\appdata\roaming\qygyyc\alme.exe" = protocol=17 | dir=in | app=c:\users\xxxxx\appdata\roaming\qygyyc\alme.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0919C44F-F18A-4E3B-A737-03685272CE72}" = Windows Live Remote Service Resources
"{0E3DAF3D-FF69-345A-A99E-1FED304CA083}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{1553D712-B35F-4A82-BC72-D6B11A94BE3E}" = Windows Live Remote Service Resources
"{1685AE50-97ED-485B-80F6-145071EE14B0}" = Windows Live Remote Service Resources
"{17A4FD95-A507-43F1-BC92-D8572AF8340A}" = Windows Live Remote Service Resources
"{19F09425-3C20-4730-9E2A-FC2E17C9F362}" = Windows Live Remote Service Resources
"{1B8ABA62-74F0-47ED-B18C-A43128E591B8}" = Windows Live ID Sign-in Assistant
"{1EB2CFC3-E1C5-4FC4-B1F8-549DD6242C67}" = Windows Live Remote Service Resources
"{22AB5CFD-B3DB-414E-9F99-4D024CCF1DA6}" = Windows Live Remote Client Resources
"{230D1595-57DA-4933-8C4E-375797EBB7E1}" = Bluetooth Win7 Suite (64)
"{2426E29F-9E8C-4C0B-97FC-0DB690C1ED98}" = Windows Live Remote Client Resources
"{2AF8017B-E503-408F-AACE-8A335452CAD2}" = IBM SPSS Statistics 20
"{2C1A6191-9804-4FDC-AB01-6F9183C91A13}" = Windows Live Remote Client Resources
"{2F304EF4-0C31-47F4-8557-0641AAE4197C}" = Windows Live Remote Client Resources
"{34384A2A-2CA2-4446-AB0E-1F360BA2AAC5}" = Windows Live Remote Service Resources
"{350FD0E7-175A-4F86-84EF-05B77FCD7161}" = Windows Live Remote Service Resources
"{3921492E-82D2-4180-8124-E347AD2F2DB4}" = Windows Live Remote Client Resources
"{456FB9B5-AFBC-4761-BBDC-BA6BAFBB818F}" = Windows Live Remote Client Resources
"{480F28F0-8BCE-404A-A52E-0DBB7D1CE2EF}" = Windows Live Remote Service Resources
"{48C0866E-57EB-444C-8371-8E4321066BC3}" = Network64
"{4C2E49C0-9276-4324-841D-774CCCE5DB48}" = Windows Live Remote Client Resources
"{5141AA6E-5FAC-4473-BFFB-BEE69DDC7F2B}" = Windows Live Remote Service Resources
"{5151E2DB-0748-4FD1-86A2-72E2F94F8BE7}" = Windows Live Remote Service Resources
"{57F2BD1C-14A3-4785-8E48-2075B96EB2DF}" = Windows Live Remote Service Resources
"{58D79E62-CFC8-4331-8469-3A1B16E1769C}" = HP Officejet 6500 E709 Series
"{5E2CD4FB-4538-4831-8176-05D653C3E6D4}" = Windows Live Remote Service Resources
"{5F44A3A1-5D24-4708-8776-66B42B174C64}" = Windows Live Remote Client Resources
"{5FCD6EFE-C2E7-4D77-8212-4BA223D8DF8E}" = Windows Live Remote Client Resources
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{5FDC06BF-3D3D-4367-8FFB-4FAFCB61972D}" = Cisco Systems VPN Client 5.0.07.0440
"{5FEAD3E5-A158-4B66-B92B-0C959D7CF838}" = Windows Live Remote Service Resources
"{61407251-7F7D-4303-810D-226A04D5CFF3}" = Windows Live Remote Service Resources
"{656DEEDE-F6AC-47CA-A568-A1B4E34B5760}" = Windows Live Remote Service Resources
"{692CCE55-9EAE-4F57-A834-092882E7FE0B}" = Windows Live Remote Client Resources
"{6C9D3F1D-DBBE-46F9-96A0-726CC72935AF}" = Windows Live Remote Service Resources
"{6CBFDC3C-CF21-4C02-A6DC-A5A2707FAF55}" = Windows Live Remote Service Resources
"{702A632F-99CE-4E2D-B8F2-BF980E9CF62F}" = Windows Live Remote Client Resources
"{7AEC844D-448A-455E-A34E-E1032196BBCD}" = Windows Live Remote Service Resources
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{825C7D3F-D0B3-49D5-A42B-CBB0FBE85E99}" = Windows Live Remote Client Resources
"{847B0532-55E3-4AAF-8D7B-E3A1A7CD17E5}" = Windows Live Remote Client Resources
"{850B8072-2EA7-4EDC-B930-7FE569495E76}" = Windows Live Remote Client Resources
"{8970AE69-40BE-4058-9916-0ACB1B974A3D}" = Windows Live Remote Client Resources
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8EB588BD-D398-40D0-ADF7-BE1CEEF7C116}" = Windows Live Remote Client Resources
"{8F7F2D9C-2DBE-4F10-9C7C-2724110A3339}" = Windows Live Remote Service Resources
"{90140000-006D-0407-1000-0000000FF1CE}" = Microsoft Office Klick-und-Los 2010
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{97A295A7-8840-4B35-BB61-27A8F4512CA3}" = Windows Live Remote Service Resources
"{9E9C960F-7F47-46D5-A95D-950B354DE2B8}" = Windows Live Remote Service Resources
"{A060182D-CDBE-4AD6-B9B4-860B435D6CBD}" = Windows Live Remote Client Resources
"{A508D5A2-3AC1-4594-A718-A663D6D3CF11}" = Windows Live Remote Service Resources
"{A679FBE4-BA2D-4514-8834-030982C8B31A}" = Windows Live Remote Service Resources
"{A6E0F6BE-30AC-4D36-97B0-1AC20E23CB83}" = Windows Live Remote Client Resources
"{B0BF8602-EA52-4B0A-A2BD-EDABB0977030}" = Windows Live Remote Client Resources
"{B680A663-1A15-47A5-A07C-7DF9A97558B7}" = Windows Live Remote Client Resources
"{B750FA38-7AB0-42CB-ACBB-E7DBE9FF603F}" = Windows Live Remote Client Resources
"{BE930E38-7BB3-45B6-85B2-5251F374F844}" = 64 Bit HP CIO Components Installer
"{C504EC13-E122-4939-BD6E-EE5A3BAA5FEC}" = Windows Live Remote Client Resources
"{C9F05151-95A9-4B9B-B534-1760E2D014A5}" = Windows Live Remote Client Resources
"{CFF3C688-2198-4BC3-A399-598226949C39}" = Windows Live Remote Client Resources
"{D07A61E5-A59C-433C-BCBD-22025FA2287B}" = Windows Live Language Selector
"{D1C1556C-7FF3-48A3-A5D6-7126F0FAFB66}" = Windows Live Remote Client Resources
"{D3E4F422-7E0F-49C7-8B00-F42490D7A385}" = Windows Live Remote Service Resources
"{D5876F0A-B2E9-4376-B9F5-CD47B7B8D820}" = Windows Live Remote Client Resources
"{D930AF5C-5193-4616-887D-B974CEFC4970}" = Windows Live Remote Service Resources
"{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter
"{DBEDAF67-C5A3-4C91-951D-31F3FE63AF3F}" = Windows Live Remote Client Resources
"{DF6D988A-EEA0-4277-AAB8-158E086E439B}" = Windows Live Remote Client
"{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}" = Windows Live Remote Service
"{ED421F97-E1C3-4E78-9F54-A53888215D58}" = Windows Live Remote Client Resources
"{EFB20CF5-1A6D-41F3-8895-223346CE6291}" = Windows Live Remote Service Resources
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"{F6CB2C5F-B2C1-4DF1-BF44-39D0DC06FE6F}" = Windows Live Remote Service Resources
"{FAA3933C-6F0D-4350-B66B-9D7F7031343E}" = Windows Live Remote Service Resources
"{FAD0EC0B-753B-4A97-AD34-32AC1EC8DB69}" = Windows Live Remote Client Resources
"CNXT_AUDIO_HDA" = Conexant HD Audio
"HP Document Manager" = HP Document Manager 2.0
"HP Imaging Device Functions" = HP Imaging Device Functions 14.0
"HP Smart Web Printing" = HP Smart Web Printing 4.60
"HP Solution Center & Imaging Support Tools" = HP Solution Center 14.0
"HPExtendedCapabilities" = HP Customer Participation Program 14.0
"HPOCR" = OCR Software by I.R.I.S. 14.0
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Shop for HP Supplies" = Shop for HP Supplies
"SynTPDeinstKey" = Synaptics Pointing Device Driver
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{00884F14-05BD-4D8E-90E5-1ABF78948CA4}" = Windows Live Mesh
"{0125DB4D-98A0-4DBF-B68A-23BF08FFA6A3}" = Windows Live Messenger
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = Acer Crystal Eye Webcam
"{039480EE-6933-4845-88B8-77FD0C3D059D}" = Windows Live Mesh
"{047F790A-7A2A-4B6A-AD02-38092BA63DAC}" = Acer VCM
"{0557BBDA-69D3-4FA4-A93C-A5300F7034B4}" = Windows Live Writer
"{05E379CC-F626-4E7D-8354-463865B303BF}" = Windows Live UX Platform Language Pack
"{0654EA5D-308A-4196-882B-5C09744A5D81}" = Windows Live Photo Common
"{06A1D88C-E102-4527-AF70-29FFD7AF215A}" = Scan
"{06B05153-97E4-427E-B1A8-E098F6C5E52F}" = Windows Live Essentials
"{073F306D-9851-4969-B828-7B6444D07D55}" = Windows Live Photo Common
"{0785A0B6-07DF-43CF-B147-E1EB4CEA0345}" = Windows Live Messenger
"{09922FFE-D153-44AE-8B60-EA3CB8088F93}" = Windows Live UX Platform Language Pack
"{0A4C4B29-5A9D-4910-A13C-B920D5758744}" = بريد Windows Live
"{0A9256E0-C924-46DE-921B-F6C4548A1C64}" = Windows Live Messenger
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0B61BBD5-DA3C-409A-8730-0C3DC3B0F270}" = Backup Manager V3
"{0C1931EB-8339-4837-8BEC-75029BF42734}" = Windows Live UX Platform Language Pack
"{0C975FCC-A06E-4CB6-8F54-A9B52CF37781}" = Windows Liven sähköposti
"{0D261C88-454B-46FE-B43B-640E621BDA11}" = Windows Live Mail
"{0E52A52C-E120-461C-AA1B-21B045BEE842}" = bpd_scan
"{0EC0B576-90F9-43C3-8FAD-A4902DF4B8F4}" = Galeria de Fotografias do Windows Live
"{10186F1A-6A14-43DF-A404-F0105D09BB07}" = Windows Live Mail
"{110668B7-54C6-47C9-BAC4-1CE77F156AF5}" = Windows Live Mesh
"{1111706F-666A-4037-7777-210328764D10}" = JavaFX 2.1.0
"{11417707-1F72-4279-95A3-01E0B898BBF5}" = Windows Live Mesh
"{11778DA1-0495-4ED9-972F-F9E0B0367CD5}" = Windows Live Writer
"{1203DC60-D9BD-44F9-B372-2B8F227E6094}" = Windows Live Temel Parçalar
"{120C160F-F53D-4A15-A873-E79BF5B98B48}" = Windows Live Photo Common
"{128133D3-037A-4C62-B1B7-55666A10587A}" = Windows Live UX Platform Language Pack
"{133D9D67-D475-4407-AC3C-D558087B2453}" = Windows Live Movie Maker
"{1458BB78-1DC5-4BC0-B9A3-2B644F5A8105}" = DeviceDiscovery
"{14B441B7-774D-4170-98EA-A13667AE6218}" = Windows Live Writer Resources
"{150B6201-E9E6-4DFB-960E-CCBD53FBDDED}" = HPProductAssistant
"{168E7302-890A-4138-9109-A225ACAF7AD1}" = Windows Live Photo Common
"{17835B63-8308-427F-8CF5-D76E0D5FE457}" = Windows Live Essentials
"{17F99FCE-8F03-4439-860A-25C5A5434E18}" = Windows Live Essentials
"{198EA334-8A3F-4CB2-9D61-6C10B8168A6F}" = Windows Live Writer
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1A72337E-D126-4BAF-AC89-E6122DB71866}" = Windows Liven valokuvavalikoima
"{1A82AE99-84D3-486D-BAD6-675982603E14}" = Windows Live Writer
"{1D6C2068-807F-4B76-A0C2-62ED05656593}" = Windows Live Writer
"{1DA6D447-C54D-4833-84D4-3EA31CAECE9B}" = Windows Live UX Platform Language Pack
"{1DDB95A4-FD7B-4517-B3F1-2BCAA96879E6}" = Windows Live Writer Resources
"{1E2DBBE7-2DF6-417E-A8FA-D93F5BB16134}" = Reisebudget Planer
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{1FC83EAE-74C8-4C72-8400-2D8E40A017DE}" = Windows Live Writer
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{20381A8A-808E-4A53-B6CD-AD2B85E16365}" = Windows Live UX Platform Language Pack
"{220C7F8C-929D-4F71-9DC7-F7A6823B38E4}" = Windows Live UX Platform Language Pack
"{226F0D93-76DE-4F1C-B14D-DE10443ADB60}" = Windows Live Movie Maker
"{249EE21B-8EDD-4F36-8A23-E580E9DBE80A}" = Windows Live Mail
"{24DF33E0-F924-4D0D-9B96-11F28F0D602D}" = Windows Live UX Platform Language Pack
"{2511AAD7-82DF-4B97-B0B3-E1B933317010}" = Windows Live Writer Resources
"{25A381E1-0AB9-4E7A-ACCE-BA49D519CF4E}" = Windows Live Mail
"{25CD4B12-8CC5-433E-B723-C9CB41FA8C5A}" = Windows Live Writer
"{26A24AE4-039D-4CA4-87B4-2F83216029FF}" = Java(TM) 6 Update 29
"{26A24AE4-039D-4CA4-87B4-2F83217004FF}" = Java(TM) 7 Update 4
"{26E3C07C-7FF7-4362-9E99-9E49E383CF16}" = Windows Live Writer Resources
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{28B9D2D8-4304-483F-AD71-51890A063A74}" = Windows Live Photo Common
"{292F0F52-B62D-4E71-921B-89A682402201}" = Toolbox
"{29373E24-AC72-424E-8F2A-FB0F9436F21F}" = Windows Live Photo Common
"{2A07C35B-8384-4DA4-9A95-442B6C89A073}" = Windows Live Essentials
"{2AD2DD70-27F7-4343-BB4E-DE50A32D854B}" = Windows Live Messenger
"{2BA5FD10-653F-4CAF-9CCD-F685082A1DC1}" = Windows Live Writer
"{2C4E06CC-1F04-4C25-8B3C-93A9049EC42C}" = Windows Live UX Platform Language Pack
"{2C7E8AA1-9C03-4606-BF34-5D99D07964DA}" = Windows Live Messenger
"{2C865FB0-051E-4D22-AC62-428E035AEAF0}" = Windows Live Mesh
"{2D3E034E-F76B-410A-A169-55755D2637BB}" = Windows Live Mesh
"{2E50E321-4747-4EB5-9ECB-BBC6C3AC0F31}" = Windows Live Writer Resources
"{303143DD-1F6D-4BC5-9342-FFC2E19B2DBD}" = Windows Live Messenger
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
"{3125D9DE-8D7A-4987-95F3-8A42389833D8}" = Windows Live Writer Resources
"{33286280-8617-11E1-8FF6-B8AC6F97B88E}" = Google Earth Plug-in
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{34319F1F-7CF2-4CC9-B357-1AE7D2FF3AC5}" = Windows Live
"{34C4F5AF-D757-4E6A-ABCA-65AB5A50A1A8}" = Windows Live Messenger
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{370F888E-42A7-4911-9E34-7D74632E17EB}" = Windows Live Photo Common
"{37B33B16-2535-49E7-8990-32668708A0A3}" = Windows Live UX Platform Language Pack
"{39BDD209-5704-480C-9F4A-B69D0370DDBB}" = Windows Live Messenger
"{39F95B0B-A0B7-4FA7-BB6C-197DA2546468}" = Windows Live Mesh
"{3B72C1E0-26A1-40F6-8516-D50C651DFB3C}" = Windows Live Essentials
"{3B9A92DA-6374-4872-B646-253F18624D5F}" = Windows Live Writer
"{3BE02281-FCCF-44BB-8413-AC4A633059EB}" = BPDSoftware
"{3D0C22FA-96D7-4789-BC5B-991A5A99BFFA}" = Windows Live Messenger
"{3DB0448D-AD82-4923-B305-D001E521A964}" = Acer ePower Management
"{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel(R) Rapid Storage Technology
"{3F4143A1-9C21-4011-8679-3BC1014C6886}" = Windows Live Mesh
"{40BFD84C-64CD-42CC-9909-8734C50429C6}" = Windows Live UX Platform Language Pack
"{410DF0AA-882D-450D-9E1B-F5397ACFFA80}" = Windows Live Essentials
"{4264C020-850B-4F08-ACBE-98205D9C336C}" = Windows Live Writer
"{429DF1A0-3610-4E9E-8ACE-3C8AC1BA8FCA}" = Windows Live Photo Gallery
"{43B43577-2514-4CE0-B14A-7E85C17C0453}" = Windows Live Essentials
"{4444F27C-B1A8-464E-9486-4C37BAB39A09}" = Фотогалерия на Windows Live
"{458F399F-62AC-4747-99F5-499BBF073D29}" = Windows Live Writer Resources
"{4664ED39-C80A-48F7-93CD-EBDCAFAB6CC5}" = Windows Live Writer Resources
"{46872828-6453-4138-BE1C-CE35FBF67978}" = Windows Live Mesh
"{4736B0ED-F6A1-48EC-A1B7-C053027648F1}" = Galeria fotogràfica del Windows Live
"{488F0347-C4A7-4374-91A7-30818BEDA710}" = Galerie de photos Windows Live
"{48C0DC5E-820A-44F2-890E-29B68EDD3C78}" = Windows Live Writer
"{48F597DD-D397-4CFA-91A0-4C033A0113BD}" = Windows Live Mail
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A04DB63-8F81-4EF4-9D09-61A2057EF419}" = Windows Live Essentials
"{4A275FD1-2F24-4274-8C01-813F5AD1A92D}" = Windows Live Messenger
"{4B28D47A-5FF0-45F8-8745-11DC2A1C9D0F}" = Windows Live Writer
"{4C378B16-46B7-4DA1-A2CE-2EE676F74680}" = Windows Live UX Platform Language Pack
"{4D141929-141B-4605-95D6-2B8650C1C6DA}" = Windows Live UX Platform Language Pack
"{4D7BAC8A-51B8-4243-8567-1415C4272D13}" = Windows Live Writer
"{4D83F339-5A5C-4B21-8FD3-5D407B981E72}" = Windows Live Photo Common
"{50300123-F8FC-4B50-B449-E847D04F1BA2}" = Windows Live Messenger
"{506FC723-8E6C-4417-9CFF-351F99130425}" = Windows Live UX Platform Language Pack
"{523DF2BB-3A85-4047-9898-29DC8AEB7E69}" = Windows Live UX Platform Language Pack
"{5275D81E-83AD-4DE4-BC2B-6E6BA3A33244}" = Windows Live Writer Resources
"{5442DAB8-7177-49E1-8B22-09A049EA5996}" = Renesas Electronics USB 3.0 Host Controller Driver
"{5495E9A4-501A-4D4C-87C9-E80916CA9478}" = Windows Live UX Platform Language Pack
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{5B025634-7D5B-4B8D-BE2A-7943C1CF2D5D}" = Status
"{5C2F5C1B-9732-4F81-8FBF-6711627DC508}" = Windows Live Fotogalleri
"{5CF5B1A5-CBC3-42F0-8533-5A5090665862}" = Windows Live Mesh
"{5D273F60-0525-48BA-A5FB-D0CAA4A952AE}" = Windows Live Movie Maker
"{5D2E7BD7-4B6F-4086-BA8A-E88484750624}" = Windows Live Writer Resources
"{5D90ABE5-8A35-4947-8269-6F40BCE47A95}" = Windows Live Messenger
"{5DA7D148-D2D2-4C67-8444-2F0F9BD88A06}" = Windows Live Writer
"{5E627606-53B9-42D1-97E1-D03F6229E248}" = Windows Live UX Platform Language Pack
"{5F6E678A-7E61-448A-86CB-BC2AD1E04138}" = Windows Live Messenger
"{6057E21C-ABE9-4059-AE3E-3BEB9925E660}" = Windows Live Messenger
"{60C3C026-DB53-4DAB-8B97-7C1241F9A847}" = Windows Live Movie Maker
"{625D45F0-5DCB-48BF-8770-C240A84DAAEB}" = Windows Live Mesh
"{62687B11-58B5-4A18-9BC3-9DF4CE03F194}" = Windows Live Writer Resources
"{63AE67AA-1AB1-4565-B4EF-ABBC5C841E8D}" = Windows Live Messenger
"{63CF7D0C-B6E7-4EE9-8253-816B613CC437}" = Windows Live Mail
"{640798A0-A4FB-4C52-AC72-755134767F1E}" = Windows Live Movie Maker
"{64376910-1860-4CEF-8B34-AA5D205FC5F1}" = Poczta usługi Windows Live
"{644063FA-ABA3-42AC-A8AC-3EDC0706018B}" = Windows Live Mesh
"{6491AB99-A11E-41FD-A5E7-32DE8A097B8E}" = Windows Live Essentials
"{64B2D6B3-71AC-45A7-A6A1-2E07ABF58341}" = Windows Live Movie Maker
"{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel(R) Management Engine Components
"{677AAD91-1790-4FC5-B285-0E6A9D65F7DC}" = Windows Live Mail
"{6807427D-8D68-4D30-AF5B-0B38F8F948C8}" = Windows Live Writer Resources
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{68654483-9629-4CF5-88FF-9FB70B3BECDE}" = ProductContext
"{6986737B-F286-40D1-87AF-938339DCF6AB}" = Windows Live Messenger
"{69C9C672-400A-43A0-B2DE-9DB38C371282}" = Windows Live Writer
"{69CAC24D-B1DC-4B97-A1BE-FE21843108FE}" = Windows Live Writer Resources
"{6A4ABCDC-0A49-4132-944E-01FBCCB3465C}" = Windows Live UX Platform Language Pack
"{6A563426-3474-41C6-B847-42B39F1485B2}" = Windows Live Messenger
"{6ABE832B-A5C7-44C1-B697-3E123B7B4D5B}" = Windows Live Mesh
"{6B556C37-8919-4991-AC34-93D018B9EA49}" = Windows Live Photo Common
"{6CB36609-E3A6-446C-A3C1-C71E311D2B9C}" = Windows Live Movie Maker
"{6D30E864-46AE-435B-8230-8B5D42B4AE37}" = Windows Live Messenger
"{6DEC8BD5-7574-47FA-B080-492BBBE2FEA3}" = Windows Live Movie Maker
"{6EE9F44A-B8C7-4CDB-B2A9-441AF2AE315A}" = Windows Live Messenger
"{6EF2BE2C-3121-48B7-B7A6-C56046B3A588}" = Windows Live Movie Maker
"{6F37D92B-41AA-44B7-80D2-457ABDE11896}" = Windows Live Photo Common
"{709E38A9-7F80-4598-96CC-44B0D553FECE}" = Windows Live Messenger
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{71527C7C-5289-4CB2-88C9-23344C0FF6C1}" = Windows Live Movie Maker
"{71A81378-79D5-40CC-9BDC-380642D1A87F}" = Windows Live Writer
"{71C95134-F6A9-45E7-B7B3-07CA6012BF2A}" = Windows Live Mesh
"{7272F232-A7E0-4B2B-A5D2-71B7C5E2379C}" = Windows Live Fotótár
"{7327080F-6673-421F-BBD9-B618F357EEB3}" = Windows Live UX Platform Language Pack
"{734104DE-C2BF-412F-BB97-FCCE1EC94229}" = Windows Live Writer Resources
"{7373E17D-18E0-44A7-AC3A-6A3BFB85D3B3}" = Windows Live Movie Maker
"{73FC3510-6421-40F7-9503-EDAE4D0CF70D}" = Windows Live Photo Common
"{7465A996-0FCA-4D2D-A52C-F833B0829B5B}" = Windows Live Movie Maker
"{7496FD31-E5CB-4AE4-82D3-31099558BF6A}" = Windows Live Mesh
"{74DC0593-6BC6-4001-AD5F-D810AFB68D86}" = HP Update
"{74E8A7F6-575D-42C7-9178-E87D1B3BEFE8}" = Windows Live UX Platform Language Pack
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77477AEA-5757-47D8-8B33-939F43D82218}" = Windows Live UX Platform Language Pack
"{77F69CA1-E53D-4D77-8BA3-FA07606CC851}" = Фотоальбом Windows Live
"{78906B56-0E81-42A7-AC25-F54C946E1538}" = Windows Live Photo Common
"{78DAE910-CA72-450E-AD22-772CB1A00678}" = Windows Live Mesh
"{7A9D47BA-6D50-4087-866F-0800D8B89383}" = Podstawowe programy Windows Live
"{7ADFA72D-2A9F-4DEC-80A5-2FAA27E23F0F}" = Windows Live Photo Common
"{7AF8E500-B349-4A77-8265-9854E9A47925}" = Windows Live Movie Maker
"{7BA19818-F717-4DFB-BC11-FAF17B2B8AEE}" = Pošta Windows Live
"{7C2A3479-A5A0-412B-B0E6-6D64CBB9B251}" = Windows Live Photo Common
"{7CB529B2-6C74-4878-9C3F-C29C3C3BBDC6}" = Windows Live Writer Resources
"{7D0DE76C-874E-4BDE-A204-F4240160693E}" = Windows Live Photo Common
"{7D1C7B9F-2744-4388-B128-5C75B8BCCC84}" = Windows Live Essentials
"{7D926AD2-16D6-42C2-8CA1-AB09E96040BA}" = Windows Live Writer Resources
"{7D99B933-E29C-4599-92F0-DAED2AF041E3}" = Windows Live Essentials
"{7E017923-16F8-4E32-94EF-0A150BD196FE}" = Windows Live Writer
"{7E90B133-FF47-48BB-91B8-36FC5A548FE9}" = Windows Live Writer Resources
"{7F6021AE-E688-4D03-843A-C2260482BA0D}" = Windows Live Messenger
"{7F811A54-5A09-4579-90E1-C93498E230D9}" = Acer eRecovery Management
"{7FF11E53-C002-4F40-8D68-6BE751E5DD62}" = Windows Live Writer Resources
"{804DE397-F82C-4867-9085-E0AA539A3294}" = Windows Live Writer
"{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
"{80E8C65A-8F70-4585-88A2-ABC54BABD576}" = Windows Live Mesh
"{827D3E4A-0186-48B7-9801-7D1E9DD40C07}" = Windows Live Essentials
"{82803FF3-563F-414F-A403-8D4C167D4120}" = Windows Live Mail
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{841F1FB4-FDF8-461C-A496-3E1CFD84C0B5}" = Windows Live Mesh
"{84267681-BF16-40B6-9564-27BC57D7D71C}" = Windows Live Photo Common
"{84A411F9-40A5-4CDA-BF46-E09FBB2BC313}" = Windows Live Essentials
"{85373DA7-834E-4850-8AF5-1D99F7526857}" = Windows Live Photo Common
"{859D4022-B76D-40DE-96EF-C90CDA263F44}" = Windows Live Writer
"{861B1145-7762-4794-B40C-3FF0A389DFE6}" = Windows Live Photo Gallery
"{86F444A5-C9B9-41DC-AF28-B5E46F5497C7}" = Windows Live Argazki Galeria
"{873E4648-6F6E-47F6-A7B2-A6F8DFABDCE6}" = Windows Live Messenger
"{885F1BCD-C344-4758-85BD-09640CF449A5}" = Windows Live Photo Gallery
"{8909CFA8-97BF-4077-AC0F-6925243FFE08}" = Windows Liven asennustyökalu
"{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
"{8CF5D47D-27B7-49D6-A14F-10550B92749D}" = Windows Live UX Platform Language Pack
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{8E285C75-9BE2-4349-972B-DECDDF472656}" = Windows Live Writer Resources
"{8EE94FD8-5F52-4463-A340-185D16328158}" = WebReg
"{8FF6F5CA-4E30-4E3B-B951-204CAAA2716A}" = SmartWebPrinting
"{90140011-0061-0407-0000-0000000FF1CE}" = Microsoft Office Home and Student 2010 - Deutsch
"{924B4D82-1B97-48EB-8F1E-55C4353C22DB}" = Windows Live Mail
"{9294F169-72EE-4D74-AE92-CA25F64B4FF8}" = Fax
"{92A51949-EE4C-466D-AAF0-99E74A49A63F}" = DocMgr
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{93C4B7D5-4E00-491F-BA3E-25B7B63EE7F6}" = Windows Live Mail
"{93E464B3-D075-4989-87FD-A828B5C308B1}" = Windows Live Writer Resources
"{97F77D62-5110-4FA3-A2D3-410B92D31199}" = Windows Live Fotogaléria
"{99BE7F5D-AB52-4404-9E03-4240FFAA7DE9}" = Windows Live Mesh
"{99F67894-9486-413F-94E1-8B12B1606EAB}" = BPDSoftware_Ini
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9B362566-EC1B-4700-BB9C-EC661BDE2175}" = DocProc
"{9BD262D0-B788-4546-A0A5-F4F56EC3834B}" = Windows Live Photo Common
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{9DA3F03B-2CEE-4344-838E-117861E61FAF}" = Windows Live Mail
"{9DB90178-B5B0-45BD-B0A7-D40A6A1DF1CA}" = Windows Live Movie Maker
"{9E2C5B0E-7A2D-4767-A9B2-77469FB1873A}" = Windows Live Mesh
"{9FAE6E8D-E686-49F5-A574-0A58DFD9580C}" = Windows Live Mail
"{A0B91308-6666-4249-8FF6-1E11AFD75FE1}" = Windows Live Mail
"{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
"{A101F637-2E56-42C0-8E08-F1E9086BFAF3}" = Windows Live Movie Maker
"{A199DB88-E22D-4CE7-90AC-B8BE396D7BF4}" = Windows Live Movie Maker
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A41A708E-3BE6-4561-855D-44027C1CF0F8}" = Windows Live Photo Common
"{A60B3BF0-954B-42AF-B8D8-2C1D34B613AA}" = Windows Live Photo Gallery
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AA787E05-E835-4812-AA3D-4048C8A46587}" = 6500_E709_eDocs
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{AB0B2113-5B96-4B95-8AD1-44613384911F}" = Windows Live Mesh
"{AB78C965-5C67-409B-8433-D7B5BDB12073}" = Windows Live Writer Resources
"{ABD534B7-E951-470E-92C2-CD5AF1735726}" = Windows Live Essentials
"{ABE2F2AA-7ADC-4717-9573-BF3F83C696AC}" = Windows Live Mail
"{AC35A885-0F8F-4857-B7DA-6E8DFB43E6B3}" = HPSSupply
"{AC76BA86-7AD7-1031-7B44-AB0000000001}" = Adobe Reader XI (11.0.01) - Deutsch
"{ACFBE99B-6981-4513-B17E-A2683CEB9EE5}" = Windows Live Mesh
"{AD001A69-88CC-4766-B2DB-3C1DFAB9AC72}" = Windows Live Mesh
"{ADE85655-8D1E-4E4B-BF88-5E312FB2C74F}" = Windows Live Mail
"{ADFE4AED-7F8E-4658-8D6E-742B15B9F120}" = Windows Live Photo Common
"{AF01B90A-D25C-4F60-AECD-6EEDF509DC11}" = Windows Live Mesh
"{B0AD205F-60D0-4084-AFB8-34D9A706D9A8}" = Windows Live Essentials
"{B113D18C-67B0-4FB7-B329-E89B66194AE6}" = Windows Live Fotogalerie
"{B1239994-A850-44E2-BED8-E70A21124E16}" = Windows Live Mail
"{B2BCA478-EC0F-45EE-A9E9-5EABE87EA72D}" = Windows Live Photo Common
"{B33B61FE-701F-425F-98AB-2B85725CBF68}" = Windows Live Photo Common
"{B3BE54A4-8DFE-4593-8E66-56AB7133B812}" = Windows Live Writer
"{B618C3BF-5142-4630-81DD-F96864F97C7E}" = Windows Live Essentials
"{B63F0CE3-CCD0-490A-9A9C-E1A3B3A17137}" = Почта Windows Live
"{B7B67AA5-12DA-4F01-918D-B1BF66779D8A}" = Windows Live Writer Resources
"{B92C5909-1D37-4C51-8397-A28BB28E5DC3}" = Facebook Video Calling 1.2.0.287
"{BB3447F6-9553-4AA9-960E-0DB5310C5779}" = GPBaseService2
"{BC5DD87B-0143-4D14-AAE6-97109614DC6B}" = SolutionCenter
"{BD4EBDB5-EB14-4120-BB04-BE0A26C7FB3E}" = Windows Live Photo Common
"{BD695C2F-3EA0-4DA4-92D5-154072468721}" = Windows Live Fotoğraf Galerisi
"{BD7204BA-DD64-499E-9B55-6A282CDF4FA4}" = Destinations
"{BF022D76-9F72-4203-B8FA-6522DC66DFDA}" = Windows Live Movie Maker
"{BF35168D-F6F9-4202-BA87-86B5E3C9BF7A}" = Windows Live Mesh
"{C00C2A91-6CB3-483F-80B3-2958E29468F1}" = Συλλογή φωτογραφιών του Windows Live
"{C01FCACE-CC3D-49A2-ADC2-583A49857C58}" = Windows Live Essentials
"{C08D5964-C42F-48EE-A893-2396F9562A7C}" = Windows Live Mesh
"{C1594429-8296-4652-BF54-9DBE4932A44C}" = Realtek PCIE Card Reader
"{C1C9D199-B4DD-4895-92DD-9A726A2FE341}" = Windows Live Writer
"{C29FC15D-E84B-4EEC-8505-4DED94414C59}" = Windows Live Writer Resources
"{C2AB7DC4-489E-4BE9-887A-52262FBADBE0}" = Windows Live Photo Common
"{C454280F-3C3E-4929-B60E-9E6CED5717E7}" = Windows Live Mail
"{C607265F-86AA-4B42-9F9B-D0ED2E4AACA6}" = 6500_E709a
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{C8421D85-CA0E-4E93-A9A9-B826C4FB88EA}" = Windows Live Mail
"{C893D8C0-1BA0-4517-B11C-E89B65E72F70}" = Windows Live Photo Common
"{CB3F59BB-7858-41A1-A7EA-4B8A6FC7D431}" = Galeria fotografii usługi Windows Live
"{CB66242D-12B1-4494-82D2-6F53A7E024A3}" = Galerie foto Windows Live
"{CB7224D9-6DCA-43F1-8F83-6B1E39A00F92}" = Windows Live Movie Maker
"{CD31E63D-47FD-491C-8117-CF201D0AFAB5}" = TrayApp
"{CD442136-9115-4236-9C14-278F6A9DCB3F}" = Windows Live Movie Maker
"{CD7CB1E6-267A-408F-877D-B532AD2C882E}" = Windows Live Photo Common
"{CDC39BF2-9697-4959-B893-A2EE05EF6ACB}" = Windows Live Writer
"{CE929F09-3853-4180-BD90-30764BFF7136}" = גלריית התמונות של Windows Live
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{CF671BFE-6BA3-44E7-98C1-500D9C51D947}" = Windows Live Photo Gallery
"{D07B1FDA-876B-4914-9E9A-309732B6D44F}" = Windows Live Mail
"{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
"{D299197D-CDEA-41A6-A363-F532DE4114FD}" = Windows Live UX Platform Language Pack
"{D31169F2-CD71-4337-B783-3E53F29F4CAD}" = Windows Live Mail
"{D360FA88-17C8-4F14-B67F-13AAF9607B12}" = MarketResearch
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{D54A52A8-DF24-4CE8-850B-074CA47DFA74}" = Windows Live Messenger
"{D588365A-AE39-4F27-BDAE-B4E72C8E900C}" = Windows Live Mail
"{D6C3C9E7-D334-4918-BD57-5B1EF14C207D}" = Bing Bar
"{D6CBB3B2-F510-483D-AE0D-1CF3F43CF1EE}" = Windows Live Writer Resources
"{D6F25CF9-4E87-43EB-B324-C12BE9CDD668}" = Windows Live UX Platform Language Pack
"{DA29F644-2420-4448-8128-1331BE588999}" = Windows Live Writer
"{DAEF48AD-89C8-4A93-B1DD-45B7E4FB6071}" = Windows Live Movie Maker
"{DB1208F4-B2FE-44E9-BFE6-8824DBD7891B}" = Windows Live Movie Maker
"{DBAA2B17-D596-4195-A169-BA2166B0D69B}" = Windows Live Mail
"{DCAB6BA7-6533-44BF-9235-E5BF33B7431C}" = Windows Live Writer
"{DDC1E1BD-7615-4186-89E1-F5F43F9B6491}" = Windows Live Movie Maker
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{DE7C13A6-E4EA-4296-B0D5-5D7E8AD69501}" = Windows Live Writer
"{DE8F99FD-2FC7-4C98-AA67-2729FDE1F040}" = Windows Live Writer Resources
"{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
"{DEF91E0F-D266-453D-B6F2-1BA002B40CB6}" = Windows Live Essentials
"{DF71ABBB-B834-41C0-BB58-80B0545D754C}" = Windows Live UX Platform Language Pack
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E4E88B54-4777-4659-967A-2EED1E6AFD83}" = Windows Live Movie Maker
"{E5377D46-83C5-445A-A1F1-830336B42A10}" = Windows Live Galerija fotografija
"{E55E0C35-AC3C-4683-BA2F-834348577B80}" = Windows Live Writer
"{E59969EA-3B5B-4B24-8B94-43842A7FBFE9}" = Fotogalerija Windows Live
"{E5DD4723-FE0B-436E-A815-DC23CF902A0B}" = Windows Live UX Platform Language Pack
"{E62E0550-C098-43A2-B54B-03FB1E634483}" = Windows Live Writer
"{E727A662-AF9F-4DEE-81C5-F4A1686F3DFC}" = Windows Live Writer Resources
"{E7688C7D-DE09-4D43-9785-534EDE9BC18E}" = Windows Live Messenger
"{E83DC314-C926-4214-AD58-147691D6FE9F}" = Основные компоненты Windows Live
"{E8524B28-3BBB-4763-AC83-0E83FE31C350}" = Windows Live Writer
"{E85A4EFC-82F2-4CEE-8A8E-62FDAD353A66}" = Galería fotográfica de Windows Live
"{E9D98402-21AB-4E9F-BF6B-47AF36EF7E97}" = Windows Live Writer Resources
"{EA777812-4905-4C08-8F6E-13BDCC734609}" = Windows Live UX Platform Language Pack
"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
"{ED16B700-D91F-44B0-867C-7EB5253CA38D}" = Raccolta foto di Windows Live
"{EE171732-BEB4-4576-887D-CB62727F01CA}" = Acer Updater
"{EE492B20-FB15-4A98-883C-3054354A11F8}" = Windows Live Messenger
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
"{EEF99142-3357-402C-B298-DEC303E12D92}" = Windows Live 影像中心
"{EF7EAB13-46FC-49DD-8E3C-AAF8A286C5BB}" = Windows Live 程式集
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Processor Graphics
"{F0F5D89A-197C-495B-827E-3E98B811CD2E}" = Windows Live Photo Common
"{F0F9505B-3ACF-4158-9311-D0285136AA00}" = Windows Live Essentials
"{F13587F7-AA4C-4C2E-AE7D-F33F3CCE57A9}" = Windows Live Messenger
"{F4BEA6C1-AAC3-4810-AAEA-588E26E0F237}" = Windows Live UX Platform Language Pack
"{F52C5BE7-3F57-464E-8A54-908402E43CE8}" = Windows Live Writer Resources
"{F53A49E6-9FB1-4A5A-B1D9-82BA116196B7}" = Acer USB Charge Manager
"{F53B432E-BD19-4400-BFA0-2BBD16410F8F}" = 6500_E709_Help
"{F694D1F7-1F12-4550-9B7A-C871273ABAD5}" = Windows Live Messenger
"{F7A46527-DF1F-4B0F-9637-98547E189442}" = Windows Live Galeria de Fotos
"{F7E80BA7-A09D-4DD1-828B-C4A0274D4720}" = Windows Live Mesh
"{F80E5450-3EF3-4270-B26C-6AC53BEC5E76}" = Windows Live Movie Maker
"{F8A9085D-4C7A-41a9-8A77-C8998A96C421}" = Intel(R) Control Center
"{F95E4EE0-0C6E-4273-B6B9-91FD6F071D76}" = Windows Live Essentials
"{FA0FF682-CC70-4C57-93CD-E276F3E7537E}" = BufferChm
"{FA6CF94F-DACF-4FE7-959D-55C421B91B17}" = Windows Live Mail
"{FB3D07AE-73D0-47A9-AC12-6F50BF8B6202}" = Windows Live Movie Maker
"{FB79FDB7-4DE1-453D-99FE-9A880F57380E}" = Windows Live Fotogalerie
"{FBCA06D2-4642-4F33-B20A-A7AB3F0D2E69}" = معرض صور Windows Live
"{FCBC19F7-E068-4B7A-ACBB-CE9CCEB4B21F}" = Windows Live Messenger
"{FCDE76CB-989D-4E32-9739-6A272D2B0ED7}" = Windows Live Mesh
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"{FE62C88B-425B-4BDE-8B70-CD5AE3B83176}" = Windows Live Essentials
"{FEEF7F78-5876-438B-B554-C4CC426A4302}" = Windows Live Essentials
"{FF105207-8423-4E13-B0B1-50753170B245}" = Windows Live Movie Maker
"{FF3DFA01-1E98-46B4-A065-DA8AD47C9598}" = Windows Live Movie Maker
"{FF737490-5A2D-4269-9D82-97DB2F7C0B09}" = Windows Live Movie Maker
"Acer Registration" = Acer Registration
"Acer Screensaver" = Acer ScreenSaver
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Avira AntiVir Desktop" = Avira Free Antivirus
"Identity Card" = Identity Card
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = Acer Crystal Eye Webcam
"InstallShield_{0B61BBD5-DA3C-409A-8730-0C3DC3B0F270}" = Acer Backup Manager
"InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}" = Renesas Electronics USB 3.0 Host Controller Driver
"LManager" = Launch Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.70.0.1100
"McAfee Security Scan" = McAfee Security Scan Plus
"Mozilla Firefox 19.0.2 (x86 de)" = Mozilla Firefox 19.0.2 (x86 de)
"Mozilla Thunderbird 17.0.4 (x86 de)" = Mozilla Thunderbird 17.0.4 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Office14.Click2Run" = Microsoft Office Klick-und-Los 2010
"VLC media player" = VLC media player 1.1.11
"WinLiveSuite" = Windows Live Essentials
 
========== HKEY_USERS Uninstall List ==========
 
[HKEY_USERS\S-1-5-21-1480892100-3287089332-176741844-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 04.07.2012 04:01:46 | Computer Name = xxxxx-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 04.07.2012 17:58:19 | Computer Name = xxxxx-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 05.07.2012 03:17:28 | Computer Name = xxxxx-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 05.07.2012 06:25:36 | Computer Name = xxxxx-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 05.07.2012 09:43:04 | Computer Name = xxxxx-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 05.07.2012 18:41:28 | Computer Name = xxxxx-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 06.07.2012 03:56:52 | Computer Name = xxxxx-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 07.07.2012 02:50:43 | Computer Name = xxxxx-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 08.07.2012 07:32:37 | Computer Name = xxxxx-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 09.07.2012 02:24:24 | Computer Name = xxxxx-PC | Source = WinMgmt | ID = 10
Description = 
 
[ System Events ]
Error - 24.02.2013 15:50:31 | Computer Name = xxxxx-PC | Source = DCOM | ID = 10010
Description = 
 
Error - 25.02.2013 14:01:09 | Computer Name = xxxxx-PC | Source = Service Control Manager | ID = 7034
Description = Dienst "Google Update-Dienst (gupdate)" wurde unerwartet beendet. 
Dies ist bereits 1 Mal passiert.
 
Error - 28.02.2013 10:39:30 | Computer Name = xxxxx-PC | Source = Service Control Manager | ID = 7034
Description = Dienst "HP Network Devices Support" wurde unerwartet beendet. Dies
 ist bereits 1 Mal passiert.
 
Error - 02.03.2013 05:14:21 | Computer Name = xxxxx-PC | Source = DCOM | ID = 10010
Description = 
 
Error - 02.03.2013 11:38:37 | Computer Name = xxxxx-PC | Source = Service Control Manager | ID = 7034
Description = Dienst "Google Update-Dienst (gupdate)" wurde unerwartet beendet. 
Dies ist bereits 1 Mal passiert.
 
Error - 07.03.2013 09:11:47 | Computer Name = xxxxx-PC | Source = DCOM | ID = 10010
Description = 
 
Error - 08.03.2013 02:46:57 | Computer Name = xxxxx-PC | Source = Service Control Manager | ID = 7000
Description = Der Dienst "Google Update-Dienst (gupdate)" wurde aufgrund folgenden
 Fehlers nicht gestartet:   %%109
 
Error - 08.03.2013 02:46:57 | Computer Name = xxxxx-PC | Source = DCOM | ID = 10005
Description = 
 
Error - 10.03.2013 11:47:34 | Computer Name = xxxxx-PC | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am ?10.?03.?2013 um 15:29:03 unerwartet heruntergefahren.
 
Error - 12.03.2013 18:22:54 | Computer Name = xxxxx-PC | Source = DCOM | ID = 10010
Description = 
 
 
< End of report >
         

Noch ein kleiner Nachtrag:
Die Mail mit dem entsprechenden Anhang habe ich noch im Postfach und könnte sie an jemanden weiterleiten, falls das erwünscht ist.
__________________

Alt 15.03.2013, 12:49   #4
t'john
/// Helfer-Team
 
Infizierung durch Matsnu Trojaner von Groupon - Standard

Infizierung durch Matsnu Trojaner von Groupon





Die Bereinigung besteht aus mehreren Schritten, die ausgefuehrt werden muessen.
Diese Nacheinander abarbeiten und die 3 Logs, die dabei erstellt werden bitte in deine naechste Antwort einfuegen.

Sollte der OTL-FIX nicht richig durchgelaufen sein. Fahre nicht fort, sondern melde dies bitte.

1. Schritt

Fixen mit OTL

Lade (falls noch nicht vorhanden) OTL von Oldtimer herunter und speichere es auf Deinem Desktop (nicht woanders hin).

  • Deaktiviere etwaige Virenscanner wie Avira, Kaspersky etc.
  • Starte die OTL.exe.
    Vista- und Windows 7-User starten mit Rechtsklick auf das Programm-Icon und wählen "Als Administrator ausführen".
  • Kopiere folgendes Skript in das Textfeld unterhalb von Benuterdefinierte Scans/Fixes:
  • Der Fix fängt mit :OTL an. Vergewissere dich, dass du ihn richtig kopiert hast.

Ersetze die *** Sternchen wieder in den Benutzernamen zurück!
Code:
ATTFilter
:OTL

O4 - HKU\S-1-5-21-1480892100-3287089332-176741844-1001..\Run: [kjbnutye] C:\Users\xxxxx\Bpcrkpilfoq\fmkcfutye.exe (ARM Limited) 
O4 - HKU\S-1-5-21-1480892100-3287089332-176741844-1001..\Run: [Opige] C:\Users\xxxxx\AppData\Roaming\Qygyyc\alme.exe File not found 
O4 - HKU\S-1-5-21-1480892100-3287089332-176741844-1001..\Run: [userft] "C:\Users\xxxxx\AppData\Roaming\userft.exe" -autorun File not found 
@Alternate Data Stream - 142 bytes -> C:\ProgramData\Temp:5925E400 
[2013.03.15 11:08:58 | 000,000,000 | ---D | C] -- C:\Users\xxxxx\AppData\Roaming\Xoysba 
[2013.03.15 11:08:58 | 000,000,000 | ---D | C] -- C:\Users\xxxxx\AppData\Roaming\Qygyyc 
[2013.03.15 11:08:58 | 000,000,000 | ---D | C] -- C:\Users\xxxxx\AppData\Roaming\Cyqeb 

:Files 
C:\ProgramData\*.exe
C:\ProgramData\*.dll
C:\ProgramData\*.tmp
C:\ProgramData\TEMP
C:\Users\xxxxx\*.tmp
C:\Users\xxxxx\AppData\*.dll
C:\Users\xxxxx\AppData\*.exe
C:\Users\xxxxx\AppData\Local\Temp\*.exe
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache
ipconfig /flushdns /c
:Commands
[emptytemp]
         
  • Schließe alle Programme.
  • Klicke auf den Fix Button.
  • Wenn OTL einen Neustart verlangt, bitte zulassen.
  • Kopiere den Inhalt des Logfiles hier in Code-Tags in Deinen Thread.
    Nachträglich kannst Du das Logfile hier einsehen => C:\_OTL\MovedFiles\<datum_nummer.log>

Hinweis für Mitleser: Obiges OTL-Script ist ausschließlich für diesen User in dieser Situtation erstellt worden.
Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen!



2. Schritt
Downloade dir bitte Malwarebytes Anti-Rootkit Malwarebytes Anti-Rootkit und speichere es auf deinem Desktop.
  • Starte bitte die mbar.exe.
  • Folge den Anweisungen auf deinem Bildschirm gemäß Anleitung zu Malwarebytes Anti-Rootkit
  • Aktualisiere unbedingt die Datenbank und erlaube dem Tool, dein System zu scannen.
  • Klicke auf den CleanUp Button und erlaube den Neustart.
  • Während dem Neustart wird MBAR die gefundenen Objekte entfernen, also bleib geduldig.
  • Nach dem Neustart starte die mbar.exe erneut.
  • Sollte nochmal was gefunden werden, wiederhole den CleanUp Prozess.
Das Tool wird im erstellten Ordner eine Logfile ( mbar-log-<Jahr-Monat-Tag>.txt ) erzeugen. Bitte poste diese hier.

Starte keine andere Datei in diesem Ordner ohne Anweisung eines Helfers


danach:

3. Schritt
Downloade Dir bitte AdwCleaner Logo Icon AdwCleaner auf deinen Desktop.
  • Schließe alle offenen Programme und Browser. Bebilderte Anleitung zu AdwCleaner.
  • Starte die AdwCleaner.exe mit einem Doppelklick.
  • Stimme den Nutzungsbedingungen zu.
  • Klicke auf Optionen und vergewissere dich, dass die folgenden Punkte ausgewählt sind:
    • "Tracing" Schlüssel löschen
    • Winsock Einstellungen zurücksetzen
    • Proxy Einstellungen zurücksetzen
    • Internet Explorer Richtlinien zurücksetzen
    • Chrome Richtlinien zurücksetzen
    • Stelle sicher, dass alle 5 Optionen wie hier dargestellt, ausgewählt sind
  • Klicke auf Suchlauf und warte bis dieser abgeschlossen ist.
  • Klicke nun auf Löschen und bestätige auftretende Hinweise mit Ok.
  • Dein Rechner wird automatisch neu gestartet. Nach dem Neustart öffnet sich eine Textdatei. Poste mir deren Inhalt mit deiner nächsten Antwort.
  • Die Logdatei findest du auch unter C:\AdwCleaner\AdwCleaner[Cx].txt. (x = fortlaufende Nummer).
__________________
Mfg, t'john
Das TB unterstützen

Alt 15.03.2013, 14:01   #5
Dr.CaRsTeN
 
Infizierung durch Matsnu Trojaner von Groupon - Standard

Infizierung durch Matsnu Trojaner von Groupon



Ok, vielen Dank schon einmal für dein Hilfe:

Bevor ich deinen post gelesen habe, hatte ich schon einen GMER Scan gemacht.
Das Ergebnis schreib ich einfach mal, ich weiß nciht ob es von Nutzen ist:

Code:
ATTFilter
GMER 2.1.19155 - hxxp://www.gmer.net
Rootkit scan 2013-03-15 14:25:28
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD50 rev.01.0 465,76GB
Running: ji6f9suz.exe; Driver: C:\Users\xxxxx\AppData\Local\Temp\kwloypoc.sys


---- User code sections - GMER 2.1 ----

.text    C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe[1916] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                               00000000778a1465 2 bytes [8A, 77]
.text    C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe[1916] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                              00000000778a14bb 2 bytes [8A, 77]
.text    ...                                                                                                                                                                                                                                   * 2
.text    C:\Windows\SysWOW64\svchost.exe[2556] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                                         00000000778a1465 2 bytes [8A, 77]
.text    C:\Windows\SysWOW64\svchost.exe[2556] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                                        00000000778a14bb 2 bytes [8A, 77]
.text    ...                                                                                                                                                                                                                                   * 2
.text    C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                    00000000778a1465 2 bytes [8A, 77]
.text    C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                   00000000778a14bb 2 bytes [8A, 77]
.text    ...                                                                                                                                                                                                                                   * 2
.text    C:\Program Files (x86)\Launch Manager\LManager.exe[2748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                                      00000000778a1465 2 bytes [8A, 77]
.text    C:\Program Files (x86)\Launch Manager\LManager.exe[2748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                                     00000000778a14bb 2 bytes [8A, 77]
.text    ...                                                                                                                                                                                                                                   * 2
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                          00000000778a1465 2 bytes [8A, 77]
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                         00000000778a14bb 2 bytes [8A, 77]
.text    ...                                                                                                                                                                                                                                   * 2
.text    C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[3056] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                                         00000000778a1465 2 bytes [8A, 77]
.text    C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[3056] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                                        00000000778a14bb 2 bytes [8A, 77]
.text    ...                                                                                                                                                                                                                                   * 2
.text    C:\Users\xxxxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[3628] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69                                                                                                                  00000000778a1465 2 bytes [8A, 77]
.text    C:\Users\xxxxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[3628] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155                                                                                                                 00000000778a14bb 2 bytes [8A, 77]
.text    ...                                                                                                                                                                                                                                   * 2
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE[3728] C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE!?SparseBitMask@DataSourceDescription@FlexUI@@2HB + 960  000000002d895984 4 bytes [2E, 2B, F3, 13]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE[3728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                     00000000778a1465 2 bytes [8A, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE[3728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                    00000000778a14bb 2 bytes [8A, 77]
.text    ...                                                                                                                                                                                                                                   * 2
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3908] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                                                  00000000778a1465 2 bytes [8A, 77]
.text    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3908] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                                                 00000000778a14bb 2 bytes [8A, 77]
.text    ...                                                                                                                                                                                                                                   * 2
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                                                                     00000000778ef9c0 5 bytes JMP 000000016c925f49
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtQueryObject                                                                                                                                               00000000778ef9d8 5 bytes JMP 000000016c926411
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey                                                                                                                                                   00000000778efa08 5 bytes JMP 000000016c92016d
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey                                                                                                                                         00000000778efa20 5 bytes JMP 000000016c91fbca
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey                                                                                                                                                  00000000778efa70 5 bytes JMP 000000016c91fa44
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey                                                                                                                                             00000000778efa88 2 bytes JMP 000000016c91fb52
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey + 3                                                                                                                                         00000000778efa8b 2 bytes [03, F5]
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey                                                                                                                                                 00000000778efb20 5 bytes JMP 000000016c920424
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile                                                                                                                                        00000000778efc18 5 bytes JMP 000000016c924369
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey                                                                                                                                              00000000778efd2c 5 bytes JMP 000000016c91f9cc
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                                  00000000778efd44 5 bytes JMP 000000016c924959
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile                                                                                                                                        00000000778efd78 5 bytes JMP 000000016c9239de
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                                                                                                                           00000000778efe24 5 bytes JMP 000000016c925fc4
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile                                                                                                                                       00000000778efe3c 5 bytes JMP 000000016c924adb
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                                00000000778f0094 5 bytes JMP 000000016c924791
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                                                                                                               00000000778f01a4 5 bytes JMP 000000016c91fc42
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile                                                                                                                                                00000000778f09c4 5 bytes JMP 000000016c924584
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey                                                                                                                                                 00000000778f09dc 5 bytes JMP 000000016c91cc5b
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                                                                                                                            00000000778f0a24 5 bytes JMP 000000016c91cd29
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey                                                                                                                                                  00000000778f0b60 5 bytes JMP 000000016c91ccc2
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey                                                                                                                                           00000000778f0f50 5 bytes JMP 000000016c91fcba
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys                                                                                                                                  00000000778f0f68 5 bytes JMP 000000016c91ff45
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx                                                                                                                                                 00000000778f0ff8 5 bytes JMP 000000016c9201fd
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile                                                                                                                                   00000000778f131c 5 bytes JMP 000000016c924b6b
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey                                                                                                                                     00000000778f145c 5 bytes JMP 000000016c91fec9
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject                                                                                                                                       00000000778f1508 5 bytes JMP 000000016c926389
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey                                                                                                                                                 00000000778f16f8 1 byte JMP 000000016c91d138
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey + 2                                                                                                                                             00000000778f16fa 3 bytes {JMP 0xfffffffff502ba40}
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey                                                                                                                                         00000000778f1a38 5 bytes JMP 000000016c91facc
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject                                                                                                                                         00000000778f1b7c 5 bytes JMP 000000016c92616c
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                                                                                                                           000000007651103d 5 bytes JMP 000000016c8f93a9
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                                                                                                                           0000000076511072 5 bytes JMP 000000016c8f94e7
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                                                                                                                     000000007653c9b5 5 bytes JMP 000000016c8f971d
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\syswow64\kernel32.dll!SetDllDirectoryW                                                                                                                                         00000000765900c3 5 bytes JMP 000000016c8f9efe
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\syswow64\kernel32.dll!SetDllDirectoryA                                                                                                                                         000000007659016b 5 bytes JMP 000000016c8fa231
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\syswow64\kernel32.dll!WinExec                                                                                                                                                  0000000076592c91 5 bytes JMP 000000016c8f9aa0
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\syswow64\kernel32.dll!AllocConsole                                                                                                                                             00000000765b6b3e 5 bytes JMP 000000016c927431
.text    C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\syswow64\kernel32.dll!AttachConsole                                                                                                                                            00000000765b6c02 5 bytes JMP 000000016c927443
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                00000000778ef9c0 5 bytes JMP 000000016c925f49
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtQueryObject                                                                                          00000000778ef9d8 5 bytes JMP 000000016c926411
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey                                                                                              00000000778efa08 5 bytes JMP 000000016c92016d
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey                                                                                    00000000778efa20 5 bytes JMP 000000016c91fbca
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey                                                                                             00000000778efa70 5 bytes JMP 000000016c91fa44
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey                                                                                        00000000778efa88 2 bytes JMP 000000016c91fb52
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey + 3                                                                                    00000000778efa8b 2 bytes [03, F5]
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey                                                                                            00000000778efb20 5 bytes JMP 000000016c920424
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile                                                                                   00000000778efc18 5 bytes JMP 000000016c924369
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey                                                                                         00000000778efd2c 5 bytes JMP 000000016c91f9cc
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                             00000000778efd44 5 bytes JMP 000000016c924959
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile                                                                                   00000000778efd78 5 bytes JMP 000000016c9239de
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                                                                      00000000778efe24 5 bytes JMP 000000016c925fc4
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile                                                                                  00000000778efe3c 5 bytes JMP 000000016c924adb
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                           00000000778f0094 5 bytes JMP 000000016c924791
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                                                          00000000778f01a4 5 bytes JMP 000000016c91fc42
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile                                                                                           00000000778f09c4 5 bytes JMP 000000016c924584
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey                                                                                            00000000778f09dc 5 bytes JMP 000000016c91cc5b
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                                                                       00000000778f0a24 5 bytes JMP 000000016c91cd29
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey                                                                                             00000000778f0b60 5 bytes JMP 000000016c91ccc2
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey                                                                                      00000000778f0f50 5 bytes JMP 000000016c91fcba
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys                                                                             00000000778f0f68 5 bytes JMP 000000016c91ff45
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx                                                                                            00000000778f0ff8 5 bytes JMP 000000016c9201fd
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile                                                                              00000000778f131c 5 bytes JMP 000000016c924b6b
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey                                                                                00000000778f145c 5 bytes JMP 000000016c91fec9
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject                                                                                  00000000778f1508 5 bytes JMP 000000016c926389
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey                                                                                            00000000778f16f8 1 byte JMP 000000016c91d138
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey + 2                                                                                        00000000778f16fa 3 bytes {JMP 0xfffffffff502ba40}
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey                                                                                    00000000778f1a38 5 bytes JMP 000000016c91facc
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject                                                                                    00000000778f1b7c 5 bytes JMP 000000016c92616c
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                                                                      000000007651103d 5 bytes JMP 000000016c8f93a9
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                                                                      0000000076511072 5 bytes JMP 000000016c8f94e7
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                                                                000000007653c9b5 5 bytes JMP 000000016c8f971d
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\kernel32.dll!SetDllDirectoryW                                                                                    00000000765900c3 5 bytes JMP 000000016c8f9efe
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\kernel32.dll!SetDllDirectoryA                                                                                    000000007659016b 5 bytes JMP 000000016c8fa231
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\kernel32.dll!WinExec                                                                                             0000000076592c91 5 bytes JMP 000000016c8f9aa0
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\kernel32.dll!AllocConsole                                                                                        00000000765b6b3e 5 bytes JMP 000000016c927431
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\kernel32.dll!AttachConsole                                                                                       00000000765b6c02 5 bytes JMP 000000016c927443
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                                                                    00000000769d2aa4 5 bytes JMP 000000016c8fa43c
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\USER32.dll!CreateWindowExW                                                                                       0000000076628a29 5 bytes JMP 000000016c927419
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\USER32.dll!CreateWindowExA                                                                                       000000007662d22e 5 bytes JMP 000000016c927401
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\GDI32.dll!AddFontResourceW                                                                                       0000000076a4d2b2 5 bytes JMP 000000016c907617
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\GDI32.dll!AddFontResourceA                                                                                       0000000076a4d7bb 5 bytes JMP 000000016c9075fb
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ADVAPI32.dll!EnumDependentServicesW                                                                              0000000076451e3a 7 bytes JMP 000000016c90a3b9
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusExW                                                                               000000007645b466 7 bytes JMP 000000016c90b2da
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ADVAPI32.dll!GetServiceKeyNameW                                                                                  00000000764778ff 7 bytes JMP 000000016c90aa60
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameW                                                                              00000000764779bb 7 bytes JMP 000000016c90ac11
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusExA                                                                               000000007647a3e2 7 bytes JMP 000000016c90b3a0
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA                                                                                0000000076492538 5 bytes JMP 000000016c8f985f
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ADVAPI32.dll!GetServiceKeyNameA                                                                                  00000000764b1b94 7 bytes JMP 000000016c90ab18
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameA                                                                              00000000764b1c31 7 bytes JMP 000000016c90acc9
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusA                                                                                 00000000764b2021 7 bytes JMP 000000016c90b21c
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ADVAPI32.dll!EnumDependentServicesA                                                                              00000000764b2104 7 bytes JMP 000000016c90a470
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusW                                                                                 00000000764b2221 5 bytes JMP 000000016c90b15e
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!ControlService                                                                                       00000000769a4d5c 7 bytes JMP 000000016c90a1fe
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle                                                                                   00000000769a4dc3 7 bytes JMP 000000016c90a527
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!QueryServiceStatus                                                                                   00000000769a4e4b 7 bytes JMP 000000016c90a28a
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!QueryServiceStatusEx                                                                                 00000000769a4eaf 7 bytes JMP 000000016c90a31d
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!StartServiceW                                                                                        00000000769a4f35 7 bytes JMP 000000016c90a079
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!StartServiceA                                                                                        00000000769a508d 7 bytes JMP 000000016c90a10f
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!QueryServiceObjectSecurity                                                                           00000000769a50f4 7 bytes JMP 000000016c90b02c
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                                                             00000000769a5181 7 bytes JMP 000000016c90b0c8
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                                                                 00000000769a5254 7 bytes JMP 000000016c90a728
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                                                                 00000000769a53d5 7 bytes JMP 000000016c90a643
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                                                                00000000769a54c2 7 bytes JMP 000000016c90a9ca
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                                                                00000000769a55e2 7 bytes JMP 000000016c90a934
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                                                       00000000769a567c 7 bytes JMP 000000016c909e5b
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                                                       00000000769a589f 7 bytes JMP 000000016c909d85
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                                                        00000000769a5a22 7 bytes JMP 000000016c90a5b5
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigA                                                                                  00000000769a5a83 7 bytes JMP 000000016c90ae5b
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW                                                                                  00000000769a5b29 7 bytes JMP 000000016c90adc2
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA                                                                                    00000000769a5ca0 7 bytes JMP 000000016c909535
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!ControlServiceExW                                                                                    00000000769a5d8c 7 bytes JMP 000000016c9094bc
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!OpenSCManagerW                                                                                       00000000769a63ad 7 bytes JMP 000000016c909a83
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!OpenSCManagerA                                                                                       00000000769a64f0 7 bytes JMP 000000016c909b0f
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfig2A                                                                                 00000000769a6633 7 bytes JMP 000000016c90af90
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfig2W                                                                                 00000000769a680c 7 bytes JMP 000000016c90aef4
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!OpenServiceW                                                                                         00000000769a714b 7 bytes JMP 000000016c909bf8
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!OpenServiceA                                                                                         00000000769a7245 7 bytes JMP 000000016c909c84
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!CoRegisterPSClsid                                                                                      0000000075ebc56e 5 bytes JMP 000000016c9111c4
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!CoResumeClassObjects + 7                                                                               0000000075ebea09 7 bytes JMP 000000016c911795
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!OleRun                                                                                                 0000000075ec07de 5 bytes JMP 000000016c911650
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!CoRegisterClassObject                                                                                  0000000075ec21e1 5 bytes JMP 000000016c9122c5
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!OleUninitialize                                                                                        0000000075eceba1 6 bytes JMP 000000016c91156f
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!OleInitialize                                                                                          0000000075ecefd7 5 bytes JMP 000000016c9114ff
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!CoGetPSClsid                                                                                           0000000075ed26b9 5 bytes JMP 000000016c91133c
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!CoGetClassObject                                                                                       0000000075ee54ad 5 bytes JMP 000000016c912853
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!CoInitializeEx                                                                                         0000000075ef09ad 5 bytes JMP 000000016c9113af
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!CoUninitialize                                                                                         0000000075ef86d3 5 bytes JMP 000000016c911431
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!CoCreateInstance                                                                                       0000000075ef9d0b 5 bytes JMP 000000016c913b21
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx                                                                                     0000000075ef9d4e 5 bytes JMP 000000016c911c5c
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!CoSuspendClassObjects + 7                                                                              0000000075f1bb09 7 bytes JMP 000000016c9116c0
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!CoRevokeClassObject                                                                                    0000000075f3eacf 5 bytes JMP 000000016c910c21
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!CoGetInstanceFromFile                                                                                  0000000075f7340b 5 bytes JMP 000000016c912d13
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!OleRegEnumFormatEtc                                                                                    0000000075fbcfd9 5 bytes JMP 000000016c9115da
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\oleaut32.dll!RegisterActiveObject                                                                                0000000076f0279e 5 bytes JMP 000000016c910eb4
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\oleaut32.dll!RevokeActiveObject                                                                                  0000000076f03294 5 bytes JMP 000000016c910fd5
.text    C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\oleaut32.dll!GetActiveObject                                                                                     0000000076f18f40 5 bytes JMP 000000016c911048

---- Threads - GMER 2.1 ----

Thread   C:\Windows\SysWOW64\svchost.exe [2556:2564]                                                                                                                                                                                           000000007efa0000
Thread   C:\Windows\SysWOW64\svchost.exe [2556:2612]                                                                                                                                                                                           000000007efab973
Thread   C:\Program Files\Windows Media Player\wmpnetwk.exe [5144:5820]                                                                                                                                                                        000007fefc0a2a7c
Thread   C:\Program Files\Windows Media Player\wmpnetwk.exe [5144:5828]                                                                                                                                                                        000007feebebd618
Thread   C:\Program Files\Windows Media Player\wmpnetwk.exe [5144:6132]                                                                                                                                                                        000007fef58b5124
---- Processes - GMER 2.1 ----

Library  Q:\140061.deu\Office14\ONENOTEM.EXE (*** suspicious ***) @ Q:\140061.deu\Office14\ONENOTEM.EXE [4480]                                                                                                                                 000000002dbb0000
Library  Q:\140061.deu\Office14\1031\ONINTL.DLL (*** suspicious ***) @ Q:\140061.deu\Office14\ONENOTEM.EXE [4480]                                                                                                                              000000006c310000

---- Registry - GMER 2.1 ----

Reg      HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{60B71048-8782-4B42-9AFA-6AEF02FB8559}\Connection@Name                                                                                           isatap.{710CFF55-3618-4361-89AE-DA85859F823D}
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9C7C0A07-6AD2-430F-BC0B-0C3905B4072D}\Connection@Name                                                                                           isatap.{2FED3E27-9FDE-4669-A696-58B52EB040B5}
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind                                                                                              \Device\{60B71048-8782-4B42-9AFA-6AEF02FB8559}?\Device\{9C7C0A07-6AD2-430F-BC0B-0C3905B4072D}?\Device\{E47E8F74-26D7-4497-A379-1C565A3C99AD}?
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route                                                                                             "{60B71048-8782-4B42-9AFA-6AEF02FB8559}"?"{9C7C0A07-6AD2-430F-BC0B-0C3905B4072D}"?"{E47E8F74-26D7-4497-A379-1C565A3C99AD}"?
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export                                                                                            \Device\TCPIP6TUNNEL_{60B71048-8782-4B42-9AFA-6AEF02FB8559}?\Device\TCPIP6TUNNEL_{9C7C0A07-6AD2-430F-BC0B-0C3905B4072D}?\Device\TCPIP6TUNNEL_{E47E8F74-26D7-4497-A379-1C565A3C99AD}?
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberCopyBytes                                                                                                                                                            0xF8 0xA6 0x7A 0x83 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberElapsedTime                                                                                                                                                          24474
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberIoTime                                                                                                                                                               9274
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberInitTime                                                                                                                                                             94
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberCopyTime                                                                                                                                                             819
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberPagesWritten                                                                                                                                                         194890
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberPagesProcessed                                                                                                                                                       493213
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberDumpCount                                                                                                                                                            13377
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberFileRuns                                                                                                                                                             3
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberReadTime                                                                                                                                                             12948
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberResumeAppTime                                                                                                                                                        13439
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberCompressTime                                                                                                                                                         14220
Reg      HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0f8da955276                                                                                                                                                           
Reg      HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{60B71048-8782-4B42-9AFA-6AEF02FB8559}@InterfaceName                                                                                                                isatap.{710CFF55-3618-4361-89AE-DA85859F823D}
Reg      HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{60B71048-8782-4B42-9AFA-6AEF02FB8559}@ReusableType                                                                                                                 0
Reg      HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{9C7C0A07-6AD2-430F-BC0B-0C3905B4072D}@InterfaceName                                                                                                                isatap.{2FED3E27-9FDE-4669-A696-58B52EB040B5}
Reg      HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{9C7C0A07-6AD2-430F-BC0B-0C3905B4072D}@ReusableType                                                                                                                 0
Reg      HKLM\SYSTEM\CurrentControlSet\services\SynTP\Parameters@DetectTimeMS                                                                                                                                                                  2061
Reg      HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0f8da955276 (not active ControlSet)                                                                                                                                       

---- EOF - GMER 2.1 ----
         

Den 1. Schritt habe ich auch befolgt, das Ergebnis ist schoneinmal hier:

Code:
ATTFilter
All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-1480892100-3287089332-176741844-1001\Software\Microsoft\Windows\CurrentVersion\Run\\kjbnutye deleted successfully.
C:\Users\xxxxx\Bpcrkpilfoq\fmkcfutye.exe moved successfully.
Registry value HKEY_USERS\S-1-5-21-1480892100-3287089332-176741844-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Opige deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1480892100-3287089332-176741844-1001\Software\Microsoft\Windows\CurrentVersion\Run\\userft deleted successfully.
ADS C:\ProgramData\Temp:5925E400 deleted successfully.
C:\Users\xxxxx\AppData\Roaming\Xoysba folder moved successfully.
C:\Users\xxxxx\AppData\Roaming\Qygyyc folder moved successfully.
C:\Users\xxxxx\AppData\Roaming\Cyqeb folder moved successfully.
========== FILES ==========
C:\ProgramData\FullRemove.exe moved successfully.
File\Folder C:\ProgramData\*.dll not found.
File\Folder C:\ProgramData\*.tmp not found.
C:\ProgramData\Temp\{B906C11A-D193-4143-9FA7-E2EE8A5A8F21} folder moved successfully.
C:\ProgramData\Temp\{5DB1DF0C-AABC-4362-8A6D-CEFDFB036E41} folder moved successfully.
C:\ProgramData\Temp\{2637C347-9DAD-11D6-9EA2-00055D0CA761} folder moved successfully.
C:\ProgramData\Temp\{14C4C3B6-F1F4-401F-8C86-03E8E19AAC8C} folder moved successfully.
C:\ProgramData\Temp\{01FB4998-33C4-4431-85ED-079E3EEFE75D} folder moved successfully.
C:\ProgramData\Temp folder moved successfully.
File\Folder C:\Users\xxxxx\*.tmp not found.
File\Folder C:\Users\xxxxx\AppData\*.dll not found.
File\Folder C:\Users\xxxxx\AppData\*.exe not found.
C:\Users\xxxxx\AppData\Local\Temp\vpnclient_setup.exe moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\tmp folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\muffin folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\host folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache folder moved successfully.
< ipconfig /flushdns /c >
Windows-IP-Konfiguration
Der DNS-Aufl”sungscache wurde geleert.
C:\Users\xxxxx\Desktop\cmd.bat deleted successfully.
C:\Users\xxxxx\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: xxxxx
->Temp folder emptied: 684242963 bytes
->Temporary Internet Files folder emptied: 81337643 bytes
->FireFox cache emptied: 67724129 bytes
->Flash cache emptied: 0 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 468361099 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50434 bytes
RecycleBin emptied: 2711815259 bytes
 
Total Files Cleaned = 3.828,00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 03152013_143833

Files\Folders moved on Reboot...
C:\Users\xxxxx\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\xxxxx\AppData\Local\Temp\MMDUtl.log moved successfully.
File move failed. C:\Windows\temp\dsiwmis.log scheduled to be moved on reboot.
File move failed. C:\Windows\temp\LMutilps.log scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
         

Die nächsten Schritte folgen.

2. Schritt:

1. Durchlauf

Code:
ATTFilter
Malwarebytes Anti-Rootkit BETA 1.01.0.1021
www.malwarebytes.org

Database version: v2013.03.15.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
xxxxx :: xxxxx-PC [administrator]

15.03.2013 15:20:00
mbar-log-2013-03-15 (15-20-00).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled: 
Objects scanned: 29914
Time elapsed: 14 minute(s), 52 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|logonjqhlp (Trojan.Downloader) -> Data: "C:\Users\xxxxx\AppData\Roaming\logonjqhlp.exe" -autorun -> Delete on reboot.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
c:\Users\xxxxx\AppData\Roaming\logonjqhlp.exe (Trojan.Downloader) -> Delete on reboot.

(end)
         

2. Durchlauf

Code:
ATTFilter
Malwarebytes Anti-Rootkit BETA 1.01.0.1021
www.malwarebytes.org

Database version: v2013.03.15.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
xxxxx :: xxxxx-PC [administrator]

15.03.2013 15:42:05
mbar-log-2013-03-15 (15-42-05).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled: 
Objects scanned: 29881
Time elapsed: 15 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
         

3. Schritt folgt.

AdwCleaner Log<.

Code:
ATTFilter
# AdwCleaner v2.114 - Datei am 15/03/2013 um 15:50:31 erstellt
# Aktualisiert am 05/03/2013 von Xplode
# Betriebssystem : Windows 7 Home Premium Service Pack 1 (64 bits)
# Benutzer : xxxxx - xxxxx-PC
# Bootmodus : Normal
# Ausgeführt unter : C:\Users\xxxxx\Desktop\adwcleaner.exe
# Option [Löschen]


**** [Dienste] ****


***** [Dateien / Ordner] *****

Ordner Gelöscht : C:\Users\xxxxx\AppData\Roaming\pdfforge

***** [Registrierungsdatenbank] *****


***** [Internet Browser] *****

-\\ Internet Explorer v9.0.8112.16470

[OK] Die Registrierungsdatenbank ist sauber.

-\\ Mozilla Firefox v19.0.2 (de)

Datei : C:\Users\xxxxx\AppData\Roaming\Mozilla\Firefox\Profiles\fo02bgq9.default\prefs.js

C:\Users\xxxxx\AppData\Roaming\Mozilla\Firefox\Profiles\fo02bgq9.default\user.js ... Gelöscht !

[OK] Die Datei ist sauber.

*************************

AdwCleaner[S1].txt - [883 octets] - [15/03/2013 15:50:31]

########## EOF - C:\AdwCleaner[S1].txt - [942 octets] ##########
         


Alt 15.03.2013, 20:01   #6
t'john
/// Helfer-Team
 
Infizierung durch Matsnu Trojaner von Groupon - Standard

Infizierung durch Matsnu Trojaner von Groupon



Sehr gut!

Downloade dir bitte aswMBR.exe und speichere die Datei auf deinem Desktop.
  • Starte die aswMBR.exe - (aswMBR.exe Anleitung)
    Ab Windows Vista (oder höher) bitte mit Rechtsklick "als Administrator ausführen" starten".
  • Das Tool wird dich fragen, ob Du mit der aktuellen Virendefinition von AVAST! dein System scannen willst. Beantworte diese Frage bitte mit Ja. (Sollte deine Firewall fragen, bitte den Zugriff auf das Internet zulassen )
    Der Download der Definitionen kann je nach Verbindung eine Weile dauern.
  • Klicke auf Scan.
  • Warte bitte bis Scan finished successfully im DOS-Fenster steht.
  • Drücke auf Save Log und speichere diese auf dem Desktop.
Poste mir die aswMBR.txt in deiner nächsten Antwort.

Wichtig: Drücke keinesfalls einen der Fix Buttons ohne Anweisung

Hinweis: Sollte der Scan Button ausgeblendet sein, schließe das Tool und starte es erneut. Sollte der Scan abbrechen und das Programm abstürzen, dann teile mir das mit und wähle unter AV Scan die Einstellung (none).



danach:


ESET Online Scanner

  • Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
  • Lade und starte Eset Online Scanner
  • Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
  • Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
  • Klicke auf Starten.
  • Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
  • Klicke am Ende des Suchlaufs auf Fertig stellen.
  • Schließe das Fenster von ESET.
  • Explorer öffnen.
  • C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
  • Logfile hier posten.
  • Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
  • Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset




danach:

Downloade Dir bitte SecurityCheck und:

  • Speichere es auf dem Desktop.
  • Starte SecurityCheck.exe und folge den Anweisungen in der DOS-Box.
  • Wenn der Scan beendet wurde sollte sich ein Textdokument (checkup.txt) öffnen.
Poste den Inhalt bitte hier.
__________________
--> Infizierung durch Matsnu Trojaner von Groupon

Alt 15.03.2013, 22:33   #7
Dr.CaRsTeN
 
Infizierung durch Matsnu Trojaner von Groupon - Standard

Infizierung durch Matsnu Trojaner von Groupon



aswmbr:

Ich weiß nicht, ob das eine Rolle spielt, aber erst der 2. Durchlauf war erfolgreich. Beim 1. versuch hat Windows einen Bluescreen produziert. Nach einem Neustart funktionierte es aber dann problemlos.

Code:
ATTFilter
aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-03-15 23:13:33
-----------------------------
23:13:33.736    OS Version: Windows x64 6.1.7601 Service Pack 1
23:13:33.736    Number of processors: 4 586 0x2A07
23:13:33.736    ComputerName: xxxxx-PC  UserName: xxxxx
23:13:38.135    Initialize success
23:13:58.914    AVAST engine defs: 13031500
23:14:04.390    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
23:14:04.390    Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
23:14:04.405    Disk 0 MBR read successfully
23:14:04.421    Disk 0 MBR scan
23:14:04.437    Disk 0 Windows 7 default MBR code
23:14:04.452    Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS        15360 MB offset 2048
23:14:04.468    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 31459328
23:14:04.483    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       461478 MB offset 31664128
23:14:04.546    Disk 0 scanning C:\Windows\system32\drivers
23:14:25.356    Service scanning
23:15:06.041    Modules scanning
23:15:06.057    Disk 0 trace - called modules:
23:15:06.088    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll 
23:15:06.603    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80068ca060]
23:15:06.603    3 CLASSPNP.SYS[fffff880013bc43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0xfffffa8004b17050]
23:15:08.241    AVAST engine scan C:\Windows
23:15:12.624    AVAST engine scan C:\Windows\system32
23:21:59.598    AVAST engine scan C:\Windows\system32\drivers
23:22:20.986    AVAST engine scan C:\Users\xxxxx
23:26:56.810    AVAST engine scan C:\ProgramData
23:28:30.753    Scan finished successfully
23:29:04.137    Disk 0 MBR has been saved successfully to "C:\Users\xxxxx\Desktop\MBR.dat"
23:29:04.153    The log file has been saved successfully to "C:\Users\xxxxx\Desktop\aswMBR.txt"
         
ESET:

Code:
ATTFilter
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=0d84bf9c495ae145aafc9877d1aeae29
# engine=13399
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-03-16 12:36:35
# local_time=2013-03-16 01:36:35 (+0100, Mitteleuropäische Zeit)
# country="Germany"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1799 16775165 100 99 13011 228817485 5790 0
# compatibility_mode=5893 16776573 100 94 55102 115024045 0 0
# scanned=128851
# found=1
# cleaned=0
# scan_time=7108
sh=F6ECE91AECE294B20C6569476DDCBB731D674394 ft=1 fh=cc6ab26dd412f068 vn="Win32/Trustezeb.C trojan" ac=I fn="C:\_OTL\MovedFiles\03152013_143833\C_Users\xxxxx\Bpcrkpilfoq\fmkcfutye.exe"
         
Security Check

Code:
ATTFilter
 Results of screen317's Security Check version 0.99.59  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 9  
``````````````Antivirus/Firewall Check:`````````````` 
Avira Desktop   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Malwarebytes Anti-Malware Version 1.70.0.1100  
 JavaFX 2.1.0    
 Java(TM) 6 Update 29  
 Java 7 Update 17  
 Java version out of Date! 
 Adobe Flash Player 11.6.602.180  
 Adobe Reader XI  
 Mozilla Firefox (19.0.2) 
 Mozilla Thunderbird (17.0.4) 
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 Avira Antivir avgnt.exe 
 Avira Antivir avguard.exe 
 Malwarebytes' Anti-Malware mbamscheduler.exe   
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  
````````````````````End of Log``````````````````````
         

Alt 16.03.2013, 08:21   #8
t'john
/// Helfer-Team
 
Infizierung durch Matsnu Trojaner von Groupon - Standard

Infizierung durch Matsnu Trojaner von Groupon



Java(TM) 6 Update 29 unbedingt deinstallieren!




Java deaktivieren

Aufgrund derezeitigen Sicherheitsluecke:

http://www.trojaner-board.de/122961-...ktivieren.html

Danach poste mir (kopieren und einfuegen), was du hier angezeigt bekommst: PluginCheck
__________________
Mfg, t'john
Das TB unterstützen

Alt 16.03.2013, 09:36   #9
Dr.CaRsTeN
 
Infizierung durch Matsnu Trojaner von Groupon - Standard

Infizierung durch Matsnu Trojaner von Groupon



PluginCheck

Der PluginCheck hilft die größten Sicherheitslücken beim Surfen im Internet zu schliessen.
Überprüft wird: Browser, Flash, Java und Adobe Reader Version.

Firefox 19.0 ist aktuell

Flash (11,6,602,180) ist aktuell.

Java ist nicht Installiert oder nicht aktiviert.

Adobe Reader 11,0,1,36 ist aktuell.

Alt 17.03.2013, 09:17   #10
t'john
/// Helfer-Team
 
Infizierung durch Matsnu Trojaner von Groupon - Standard

Infizierung durch Matsnu Trojaner von Groupon



Sehr gut!

damit bist Du sauber und entlassen!

adwCleaner entfernen

  • Starte die adwcleaner.exe mit einem Doppelklick.
  • Klicke auf Uninstall.
  • Bestätige mit Ja.




Tool-Bereinigung mit OTL


Wir werden nun die CleanUp!-Funktion von OTL nutzen, um die meisten Programme, die wir zur Bereinigung installiert haben, wieder von Deinem System zu löschen.
  • Bitte lade Dir (falls noch nicht vorhanden) OTL von OldTimer herunter.
  • Speichere es auf Deinem Desktop.
  • Doppelklick auf OTL.exe um das Programm auszuführen.
    Vista- und Windows 7-User starten mit Rechtsklick auf das Programm-Icon und wählen "Als Administrator ausführen".
  • Klicke auf den Button "Bereinigung"
  • OTL fragt eventuell nach einem Neustart.
    Sollte es dies tun, so lasse dies bitte zu.
Anmerkung: Nach dem Neustart werden OTL und andere Helferprogramme, die Du im Laufe der Bereinigung heruntergeladen hast, nicht mehr vorhanden sein. Sie wurden entfernt. Es ist daher Ok, wenn diese Programme nicht mehr vorhanden sind. Sollten noch welche übrig geblieben sein, lösche sie manuell.


Zurücksetzen der Sicherheitszonen

Lasse die Sicherheitszonen wieder zurücksetzen, da diese manipuliert wurden um den Browser für weitere Angriffe zu öffnen.
Gehe dabei so vor: http://www.trojaner-board.de/111805-...ecksetzen.html


Systemwiederherstellungen leeren

Damit der Rechner nicht mit einer infizierten Systemwiederherstellung erneut infiziert werden kann, muessen wir diese leeren. Dazu schalten wir sie einmal aus und dann wieder ein:
Systemwiederherstellung deaktivieren Tutorial fuer Windows XP, Windows Vista, Windows 7
Danach wieder aktivieren.



Lektuere zum abarbeiten:
http://www.trojaner-board.de/90880-d...tallation.html
http://www.trojaner-board.de/105213-...tellungen.html
PluginCheck
http://www.trojaner-board.de/96344-a...-rechners.html
Secunia Online Software Inspector
http://www.trojaner-board.de/71715-k...iendungen.html
http://www.trojaner-board.de/83238-a...sschalten.html
http://www.trojaner-board.de/109844-...ren-seite.html
PC wird immer langsamer - was tun?
__________________
Mfg, t'john
Das TB unterstützen

Alt 17.03.2013, 12:00   #11
Dr.CaRsTeN
 
Infizierung durch Matsnu Trojaner von Groupon - Standard

Infizierung durch Matsnu Trojaner von Groupon



Dann habe ich jetzt allen Grund mich zu bedanken, auch im Namen meiner Freundin.

Ich finde es immer wieder bewundernswert, mit wieviel Mühe sich hier um die Probleme der User gekümmert wird, ohne gleich zu einer kompletten Formatierung zu raten.


Vielen, vielen Dank und noch einen schönen Sonntag

Carsten

Alt 17.03.2013, 12:05   #12
t'john
/// Helfer-Team
 
Infizierung durch Matsnu Trojaner von Groupon - Standard

Infizierung durch Matsnu Trojaner von Groupon





wir wuenschen eine virenfreie Zeit
__________________
Mfg, t'john
Das TB unterstützen

Antwort

Themen zu Infizierung durch Matsnu Trojaner von Groupon
anderen, auswirkungen, avira, dateien, direkt, formatierung, forum, freundin, gen, heute, liefert, löschen, matsnu.eb.130, meldungen, ordner, quarantäne, screenshot, sicherheit, system, trojaner, verschieben, warnmeldungen, win32/trustezeb.c, windows, zipdatei, zipdatei geöffnet



Ähnliche Themen: Infizierung durch Matsnu Trojaner von Groupon


  1. Windows 7:Werde Viren nicht los TR/Matsnu.A.59,TR/Matsnu.A.56 und TR/BankZone.A.8
    Log-Analyse und Auswertung - 06.09.2013 (9)
  2. Probleme wegen Trojaner durch Groupon-Rechnung
    Plagegeister aller Art und deren Bekämpfung - 03.04.2013 (12)
  3. Infizierung von Trojan.Agent.Gen nach Groupon Mail
    Log-Analyse und Auswertung - 21.03.2013 (7)
  4. Groupon Trojaner
    Plagegeister aller Art und deren Bekämpfung - 15.03.2013 (16)
  5. 2x | Groupon Trojaner
    Mülltonne - 13.03.2013 (5)
  6. Spam-Mails durch Groupon-Datenklau?
    Nachrichten - 27.02.2013 (0)
  7. Mögliche Infizierung durch USB-Stick?
    Log-Analyse und Auswertung - 17.12.2012 (3)
  8. Virenbefall durch TR / Matsnu.EB.20 ER hat alle meine Daten !!
    Plagegeister aller Art und deren Bekämpfung - 21.06.2012 (1)
  9. Infizierung durch .jpeg- Datei?
    Plagegeister aller Art und deren Bekämpfung - 10.11.2011 (1)
  10. Infizierung durch bloßes herunterladen möglich?
    Log-Analyse und Auswertung - 02.07.2011 (20)
  11. Infizierung durch Trojaner?
    Log-Analyse und Auswertung - 21.01.2011 (46)
  12. Logfile nach Infizierung durch Microsoft Security Essentials Alert und soo -.-
    Log-Analyse und Auswertung - 15.01.2011 (58)
  13. Infizierung durch TR/Crypt.XPACK.Gen3
    Plagegeister aller Art und deren Bekämpfung - 12.10.2010 (3)
  14. Infizierung durch TR/Crypt.XPACK.Gen3
    Plagegeister aller Art und deren Bekämpfung - 09.10.2010 (4)
  15. Infizierung durch Hoax.BadJoke
    Plagegeister aller Art und deren Bekämpfung - 05.10.2010 (2)
  16. Infizierung durch fehlendes SP2 (Sophos)!
    Diskussionsforum - 05.11.2006 (11)
  17. infizierung durch sub7 unter xp pro sp1?
    Plagegeister aller Art und deren Bekämpfung - 17.06.2005 (13)

Zum Thema Infizierung durch Matsnu Trojaner von Groupon - Hallo zusammen. Meine Freundin hat heute Abend eine angebliche Mail von Groupon bekommen, in der sie zu einer Vertragszahlung aufgefordert wurde. Unbedarfterweise hat sie die angehängte Zipdatei geöffnet, was jedoch - Infizierung durch Matsnu Trojaner von Groupon...
Archiv
Du betrachtest: Infizierung durch Matsnu Trojaner von Groupon auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.