| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Infizierung durch Matsnu Trojaner von GrouponWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
14.03.2013, 22:27
| #1 |
 |  Infizierung durch Matsnu Trojaner von Groupon Hallo zusammen. Meine Freundin hat heute Abend eine angebliche Mail von Groupon bekommen, in der sie zu einer Vertragszahlung aufgefordert wurde. Unbedarfterweise hat sie die angehängte Zipdatei geöffnet, was jedoch keine sichtbaren Auswirkungen auf das (Windows /) System hatte. Jetzt liefert aber Avira in regelmäßigen Abständen Warnmeldungen, dass der Trojaner TR/Matsnu.EB.130 gefunden wurde. Dieser lässt sich auch direkt in den Quarantäne Ordner verschieben und von dort aus löschen, aber nach kurzer Zeit taucht im gleichen Ordner wieder eine neue Datei mit dem gleichen Trojaner auf. Einen Screenshot vom letzten Fund habe ich angehängt, falls das hilft. Auf den ersten Blick wurden (noch?) keine Dateien verschlüsselt. Trotzdem bin ich natürlich sehr misstrauisch geworden, was die Sicherheit des Systems angeht. Auf eine komplette Formatierung würde ich gerne verzichten, falls das irgendwie möglich ist. ich habe schonmal vortreffliche Hilfe hier im Forum bekommen und hoffe jetzt, dass ihr mir bzw. meiner Freundin noch einmal helfen könnt. Viele Grüße, Carsten PS: Ich habe den anderen Thread über den "Groupon Trojaner" hier im Forum gesehen, aber kenne mich leider nicht gut genug aus in dem Thema, um sicher zu sein, ob ich die Schitte alle genauso übernehmen kann. |
|
15.03.2013, 12:46
| #2 |
| |  Infizierung durch Matsnu Trojaner von Groupon So, ich habe jetzt mal ein paar Tests begonnen und poste die Ergebnisse mal hierher. Zunächst die Logdatei eines kompletten Malwarebytes Bericht: Code:
ATTFilter Malwarebytes Anti-Malware 1.70.0.1100 www.malwarebytes.org Datenbank Version: v2013.03.14.09 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 xxxxx :: xxxxxxxxx [Administrator] 15.03.2013 11:07:44 mbam-log-2013-03-15 (11-07-44).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|Q:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 351910 Laufzeit: 1 Stunde(n), 27 Minute(n), 52 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 1 C:\Users\xxxxx\AppData\Roaming\Qygyyc\alme.exe (Trojan.Ransom.ED) -> Löschen bei Neustart. (Ende) Während des Tests lieferte die Windows Firewall eine Anfrage, die ich mir nicht erklären konnte. Einen Screenshot hänge ich an. Nach einem Neustart folgen weitere Tests. |
|
15.03.2013, 13:25
| #3 |
| | Infizierung durch Matsnu Trojaner von Groupon Hier die beiden OTL Logfiles:
__________________Code:
ATTFilter OTL logfile created on: 15.03.2013 12:56:27 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\xxxxx\Desktop 64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,86 Gb Total Physical Memory | 2,08 Gb Available Physical Memory | 54,06% Memory free 7,71 Gb Paging File | 5,58 Gb Available in Paging File | 72,34% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 450,66 Gb Total Space | 392,77 Gb Free Space | 87,15% Space Free | Partition Type: NTFS Computer Name: xxxxx-PC | User Name: xxxxx | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - File not found PRC - C:\Users\xxxxx\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe (McAfee, Inc.) PRC - C:\Users\xxxxx\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.) PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated) PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation) PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation) PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG) PRC - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG) PRC - C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.exe (Microsoft Corporation.) PRC - C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe (Sun Microsystems, Inc.) PRC - C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation) PRC - C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation) PRC - C:\Program Files (x86)\Acer\Registration\GREGsvc.exe (Acer Incorporated) PRC - C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe (NTI Corporation) PRC - C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe (NTI Corporation) PRC - C:\Programme\Acer\Acer Updater\UpdaterService.exe (Acer Incorporated) PRC - C:\Program Files (x86)\Acer\Acer VCM\AcerVCM.exe (Acer Incorporated) PRC - C:\Program Files (x86)\Launch Manager\LMutilps32.exe (Dritek System Inc.) PRC - C:\Program Files (x86)\Launch Manager\LMworker.exe (Dritek System Inc.) PRC - C:\Program Files (x86)\Launch Manager\LManager.exe (Dritek System Inc.) PRC - C:\Program Files (x86)\Launch Manager\dsiwmis.exe (Dritek System Inc.) PRC - C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.) PRC - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation) PRC - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation) PRC - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation) PRC - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation) PRC - C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe (Realsil Microelectronics Inc.) PRC - C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe (Renesas Electronics Corporation) PRC - C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe () PRC - C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe (Acer Incorporated) ========== Modules (No Company Name) ========== MOD - C:\Program Files (x86)\Mozilla Firefox\mozjs.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\cb562e2e4f74ae607f1186f6ec50cec7\System.Windows.Forms.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\27649bdc3da750e2e072dedbff56cc0b\IAStorUtil.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorCommon\09a468fb987e5a5f345346b0910c89ca\IAStorCommon.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\90b89f6e8032310e9ac72a309fd49e83\System.Runtime.Remoting.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\eead6629e384a5b69f9ae35284b7eeed\System.Drawing.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\cf827fe7bc99d9bcf0ba3621054ef527\WindowsBase.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\f687c43e9fdec031988b33ae722c4613\System.Xml.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\195a77fcc6206f8bb35d419ff2cf0d72\System.Configuration.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\369f8bdca364e2b4936d18dea582912c\System.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7150b9136fad5b79e88f6c7f9d3d2c39\mscorlib.ni.dll () MOD - C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting.resources\2.0.0.0_de_b77a5c561934e089\System.Runtime.Remoting.resources.dll () MOD - C:\Program Files (x86)\NTI\Acer Backup Manager\sqlite3.dll () MOD - C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_de_b77a5c561934e089\mscorlib.resources.dll () MOD - C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe () ========== Services (SafeList) ========== SRV:64bit: - (CxAudMsg) -- C:\Windows\SysNative\CxAudMsg64.exe (Conexant Systems Inc.) SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated) SRV - (MozillaMaintenance) -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation) SRV - (McComponentHostService) -- C:\Program Files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe (McAfee, Inc.) SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated) SRV - (MBAMService) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation) SRV - (MBAMScheduler) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation) SRV - (SkypeUpdate) -- C:\Program Files (x86)\Skype\Updater\Updater.exe (Skype Technologies) SRV - (AntiVirSchedulerService) -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG) SRV - (AntiVirService) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG) SRV - (BBUpdate) -- C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe (Microsoft Corporation.) SRV - (BBSvc) -- C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.exe (Microsoft Corporation.) SRV - (sftvsa) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation) SRV - (sftlist) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation) SRV - (FLEXnet Licensing Service) -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.) SRV - (GREGService) -- C:\Program Files (x86)\Acer\Registration\GREGsvc.exe (Acer Incorporated) SRV - (ePowerSvc) -- C:\Programme\Acer\Acer ePower Management\ePowerSvc.exe (Acer Incorporated) SRV - (NTI IScheduleSvc) -- C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe (NTI Corporation) SRV - (Live Updater Service) -- C:\Programme\Acer\Acer Updater\UpdaterService.exe (Acer Incorporated) SRV - (DsiWMIService) -- C:\Program Files (x86)\Launch Manager\dsiwmis.exe (Dritek System Inc.) SRV - (CVPND) -- C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.) SRV - (AtherosSvc) -- C:\Program Files (x86)\Bluetooth Suite\adminservice.exe (Atheros Commnucations) SRV - (UNS) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation) SRV - (LMS) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation) SRV - (IAStorDataMgrSvc) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation) SRV - (IconMan_R) -- C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe (Realsil Microelectronics Inc.) SRV - (wlcrasvc) -- C:\Programme\Windows Live\Mesh\wlcrasvc.exe (Microsoft Corporation) SRV - (wlidsvc) -- C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE (Microsoft Corp.) SRV - (HPSLPSVC) -- C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL (Hewlett-Packard Co.) SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation) SRV - (RS_Service) -- C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe (Acer Incorporated) SRV - (osppsvc) -- C:\Programme\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE (Microsoft Corporation) SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV:64bit: - (MBAMProtector) -- C:\Windows\SysNative\drivers\mbam.sys (Malwarebytes Corporation) DRV:64bit: - (avipbb) -- C:\Windows\SysNative\drivers\avipbb.sys (Avira GmbH) DRV:64bit: - (avgntflt) -- C:\Windows\SysNative\drivers\avgntflt.sys (Avira GmbH) DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation) DRV:64bit: - (Sftvol) -- C:\Windows\SysNative\drivers\Sftvollh.sys (Microsoft Corporation) DRV:64bit: - (Sftplay) -- C:\Windows\SysNative\drivers\Sftplaylh.sys (Microsoft Corporation) DRV:64bit: - (Sftredir) -- C:\Windows\SysNative\drivers\Sftredirlh.sys (Microsoft Corporation) DRV:64bit: - (Sftfs) -- C:\Windows\SysNative\drivers\Sftfslh.sys (Microsoft Corporation) DRV:64bit: - (avkmgr) -- C:\Windows\SysNative\drivers\avkmgr.sys (Avira GmbH) DRV:64bit: - (igfx) -- C:\Windows\SysNative\drivers\igdkmd64.sys (Intel Corporation) DRV:64bit: - (CnxtHdAudService) -- C:\Windows\SysNative\drivers\CHDRT64.sys (Conexant Systems Inc.) DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices) DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices) DRV:64bit: - (NTIDrvr) -- C:\Windows\SysNative\drivers\NTIDrvr.sys (NTI Corporation) DRV:64bit: - (UBHelper) -- C:\Windows\SysNative\drivers\UBHelper.sys (NTI Corporation) DRV:64bit: - (CVPNDRVA) -- C:\Windows\SysNative\drivers\CVPNDRVA.sys () DRV:64bit: - (BtFilter) -- C:\Windows\SysNative\drivers\btfilter.sys (Atheros) DRV:64bit: - (BTATH_RCP) -- C:\Windows\SysNative\drivers\btath_rcp.sys (Atheros) DRV:64bit: - (BTATH_LWFLT) -- C:\Windows\SysNative\drivers\btath_lwflt.sys (Atheros) DRV:64bit: - (BTATH_A2DP) -- C:\Windows\SysNative\drivers\btath_a2dp.sys (Atheros) DRV:64bit: - (BTATH_HCRP) -- C:\Windows\SysNative\drivers\btath_hcrp.sys (Atheros) DRV:64bit: - (AthBTPort) -- C:\Windows\SysNative\drivers\btath_flt.sys (Atheros) DRV:64bit: - (BTATH_BUS) -- C:\Windows\SysNative\drivers\btath_bus.sys (Atheros) DRV:64bit: - (SynTP) -- C:\Windows\SysNative\drivers\SynTP.sys (Synaptics Incorporated) DRV:64bit: - (iaStor) -- C:\Windows\SysNative\drivers\iaStor.sys (Intel Corporation) DRV:64bit: - (RSPCIESTOR) -- C:\Windows\SysNative\drivers\RtsPStor.sys (Realtek Semiconductor Corp.) DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation) DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company) DRV:64bit: - (TsUsbGD) -- C:\Windows\SysNative\drivers\TsUsbGD.sys (Microsoft Corporation) DRV:64bit: - (L1C) -- C:\Windows\SysNative\drivers\L1C62x64.sys (Atheros Communications, Inc.) DRV:64bit: - (MEIx64) -- C:\Windows\SysNative\drivers\HECIx64.sys (Intel Corporation) DRV:64bit: - (IntcDAud) -- C:\Windows\SysNative\drivers\IntcDAud.sys (Intel(R) Corporation) DRV:64bit: - (nusb3xhc) -- C:\Windows\SysNative\drivers\nusb3xhc.sys (Renesas Electronics Corporation) DRV:64bit: - (nusb3hub) -- C:\Windows\SysNative\drivers\nusb3hub.sys (Renesas Electronics Corporation) DRV:64bit: - (athr) -- C:\Windows\SysNative\drivers\athrx.sys (Atheros Communications, Inc.) DRV:64bit: - (CVirtA) -- C:\Windows\SysNative\drivers\CVirtA64.sys (Cisco Systems, Inc.) DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.) DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation) DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology) DRV:64bit: - (StillCam) -- C:\Windows\SysNative\drivers\serscan.sys (Microsoft Corporation) DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation) DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation) DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation) DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.) DRV:64bit: - (DNE) -- C:\Windows\SysNative\drivers\dne64x.sys (Deterministic Networks, Inc.) DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer.msn.com IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://acer.msn.com IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer.msn.com IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://acer.msn.com IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-1480892100-3287089332-176741844-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer.msn.com IE - HKU\S-1-5-21-1480892100-3287089332-176741844-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://acer.msn.com IE - HKU\S-1-5-21-1480892100-3287089332-176741844-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKU\S-1-5-21-1480892100-3287089332-176741844-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de" FF - prefs.js..extensions.enabledAddons: %7BD4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389%7D:0.9.10 FF - prefs.js..extensions.enabledAddons: donottrackplus%40abine.com:2.2.6.110 FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:19.0.2 FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_6_602_180.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll () FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google) FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.4.1: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.4.1: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@mcafee.com/McAfeeMssPlugin: C:\Program Files (x86)\McAfee Security Scan\3.0.318\npMcAfeeMss.dll (McAfee, Inc.) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Users\xxxxx\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011.10.12 16:40:55 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 19.0.2\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013.03.08 07:58:59 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 19.0.2\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.4\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2013.03.12 10:17:22 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 17.0.4\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011.10.12 16:40:55 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 19.0.2\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013.03.08 07:58:59 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 19.0.2\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Thunderbird 17.0.4\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2013.03.12 10:17:22 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Thunderbird 17.0.4\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins [2011.10.10 14:45:01 | 000,000,000 | ---D | M] (No name found) -- C:\Users\xxxxx\AppData\Roaming\mozilla\Extensions [2013.02.14 12:00:25 | 000,000,000 | ---D | M] (No name found) -- C:\Users\xxxxx\AppData\Roaming\mozilla\Firefox\Profiles\fo02bgq9.default\extensions [2013.02.14 12:00:25 | 000,000,000 | ---D | M] (DoNotTrackMe) -- C:\Users\xxxxx\AppData\Roaming\mozilla\Firefox\Profiles\fo02bgq9.default\extensions\donottrackplus@abine.com [2013.02.14 10:27:56 | 000,817,280 | ---- | M] () (No name found) -- C:\Users\xxxxx\AppData\Roaming\mozilla\firefox\profiles\fo02bgq9.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2011.10.29 22:57:10 | 000,434,392 | ---- | M] () (No name found) -- C:\Users\xxxxx\AppData\Roaming\mozilla\firefox\profiles\fo02bgq9.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}.xpi [2013.02.12 06:55:59 | 000,007,919 | ---- | M] () (No name found) -- C:\Users\xxxxx\AppData\Roaming\mozilla\firefox\profiles\fo02bgq9.default\extensions\donottrackplus@abine.com\chrome\content\ff\view_expiry.js [2013.03.08 07:58:54 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions [2013.03.08 07:58:59 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll [2012.06.23 15:57:29 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.09.09 11:34:40 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml [2012.06.23 15:57:29 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml [2012.06.23 15:57:29 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml [2012.06.23 15:57:29 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml [2012.06.23 15:57:29 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2009.06.10 22:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O2:64bit: - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.) O2 - BHO: (MSS+ Identifier) - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files (x86)\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll (McAfee, Inc.) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation) O2 - BHO: (CIESpeechBHO Class) - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll (Atheros Commnucations) O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll (Microsoft Corporation.) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation) O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll (Microsoft Corporation.) O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O4:64bit: - HKLM..\Run: [AthBtTray] C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe (Atheros Commnucations) O4:64bit: - HKLM..\Run: [AtherosBtStack] C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe (Atheros Communications) O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation) O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation) O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation) O4:64bit: - HKLM..\Run: [Power Management] C:\Programme\Acer\Acer ePower Management\ePowerTray.exe (Acer Incorporated) O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [BackupManagerTray] C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe (NTI Corporation) O4 - HKLM..\Run: [Dolby Home Theater v4] C:\Dolby PCEE4\pcee4.exe (Dolby Laboratories Inc.) O4 - HKLM..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation) O4 - HKLM..\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe (Dritek System Inc.) O4 - HKLM..\Run: [NUSB3MON] C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe (Renesas Electronics Corporation) O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation) O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation) O4 - HKU\S-1-5-21-1480892100-3287089332-176741844-1001..\Run: [Facebook Update] C:\Users\xxxxx\AppData\Local\Facebook\Update\FacebookUpdate.exe (Facebook Inc.) O4 - HKU\S-1-5-21-1480892100-3287089332-176741844-1001..\Run: [kjbnutye] C:\Users\xxxxx\Bpcrkpilfoq\fmkcfutye.exe (ARM Limited) O4 - HKU\S-1-5-21-1480892100-3287089332-176741844-1001..\Run: [Opige] C:\Users\xxxxx\AppData\Roaming\Qygyyc\alme.exe File not found O4 - HKU\S-1-5-21-1480892100-3287089332-176741844-1001..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe File not found O4 - HKU\S-1-5-21-1480892100-3287089332-176741844-1001..\Run: [userft] "C:\Users\xxxxx\AppData\Roaming\userft.exe" -autorun File not found O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found O4 - Startup: C:\Users\xxxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\xxxxx\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O9:64bit: - Extra 'Tools' menuitem : Send by Bluetooth to - {7815BE26-237D-41A8-A98F-F7BD75F71086} - Reg Error: Value error. File not found O9 - Extra 'Tools' menuitem : Send by Bluetooth to - {7815BE26-237D-41A8-A98F-F7BD75F71086} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll (Atheros Commnucations) O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.) O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000008 [] - C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.) O1364bit: - gopher Prefix: missing O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 10.4.1) O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 10.4.1) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{710CFF55-3618-4361-89AE-DA85859F823D}: DhcpNameServer = 192.168.1.1 O18:64bit: - Protocol\Handler\livecall - No CLSID value found O18:64bit: - Protocol\Handler\msnim - No CLSID value found O18:64bit: - Protocol\Handler\skype4com - No CLSID value found O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found O18:64bit: - Protocol\Handler\wlpg - No CLSID value found O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies) O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation) O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013.03.15 12:55:30 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\xxxxx\Desktop\OTL.exe [2013.03.15 11:08:58 | 000,000,000 | ---D | C] -- C:\Users\xxxxx\AppData\Roaming\Xoysba [2013.03.15 11:08:58 | 000,000,000 | ---D | C] -- C:\Users\xxxxx\AppData\Roaming\Qygyyc [2013.03.15 11:08:58 | 000,000,000 | ---D | C] -- C:\Users\xxxxx\AppData\Roaming\Cyqeb [2013.03.15 11:06:38 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll [2013.03.15 11:06:38 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll [2013.03.15 11:06:37 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll [2013.03.15 11:06:36 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll [2013.03.15 11:06:36 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll [2013.03.15 11:06:36 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll [2013.03.15 11:06:36 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe [2013.03.15 11:06:36 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe [2013.03.15 11:06:35 | 002,312,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll [2013.03.15 11:06:35 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl [2013.03.15 11:06:35 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl [2013.03.15 11:06:34 | 000,729,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll [2013.03.15 11:06:33 | 000,717,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll [2013.03.15 11:06:33 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll [2013.03.15 11:06:32 | 000,816,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll [2013.03.15 11:06:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight [2013.03.15 11:04:15 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight [2013.03.15 11:04:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Silverlight [2013.03.14 21:04:52 | 000,000,000 | ---D | C] -- C:\Users\xxxxx\Bpcrkpilfoq [2013.03.12 10:17:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Thunderbird [2013.03.08 07:58:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox [2013.02.28 10:05:04 | 002,284,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msmpeg2vdec.dll [2013.02.28 10:05:03 | 002,776,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msmpeg2vdec.dll [2013.02.28 10:05:02 | 000,221,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\UIAnimation.dll [2013.02.28 10:05:02 | 000,187,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\UIAnimation.dll [2013.02.28 10:04:54 | 000,465,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WMPhoto.dll [2013.02.28 10:04:54 | 000,417,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\WMPhoto.dll [2013.02.28 10:04:44 | 000,010,752 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll [2013.02.28 10:04:44 | 000,010,752 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-advapi32-l1-1-0.dll [2013.02.28 10:04:44 | 000,009,728 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll [2013.02.28 10:04:44 | 000,009,728 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-shlwapi-l1-1-0.dll [2013.02.28 10:04:44 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll [2013.02.28 10:04:44 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-advapi32-l2-1-0.dll [2013.02.28 10:04:44 | 000,002,560 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll [2013.02.28 10:04:43 | 000,194,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10_1.dll [2013.02.28 10:04:43 | 000,002,560 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-normaliz-l1-1-0.dll [2013.02.28 10:04:42 | 002,565,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10warp.dll [2013.02.28 10:04:42 | 000,522,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\XpsGdiConverter.dll [2013.02.28 10:04:41 | 000,364,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\XpsGdiConverter.dll [2013.02.28 10:04:41 | 000,005,632 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll [2013.02.28 10:04:41 | 000,005,632 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-shlwapi-l2-1-0.dll [2013.02.28 10:04:41 | 000,005,632 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll [2013.02.28 10:04:41 | 000,005,632 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-ole32-l1-1-0.dll [2013.02.28 10:04:41 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll [2013.02.28 10:04:41 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-user32-l1-1-0.dll [2013.02.28 10:04:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll [2013.02.28 10:04:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-version-l1-1-0.dll [2013.02.28 10:04:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll [2013.02.28 10:04:41 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-shell32-l1-1-0.dll [2013.02.28 10:04:40 | 001,504,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3d11.dll [2013.02.28 10:04:40 | 000,648,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10level9.dll [2013.02.28 10:04:40 | 000,363,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dxgi.dll [2013.02.28 10:04:40 | 000,333,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10_1core.dll [2013.02.28 10:04:40 | 000,296,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10core.dll [2013.02.28 10:04:39 | 001,887,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d11.dll [2013.02.28 10:04:39 | 001,682,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\XpsPrint.dll [2013.02.28 10:04:39 | 001,238,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10.dll [2013.02.28 10:04:39 | 001,158,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\XpsPrint.dll [2013.02.28 10:04:38 | 001,643,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\DWrite.dll [2013.02.28 10:04:38 | 000,245,248 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WindowsCodecsExt.dll [2013.02.28 10:04:37 | 003,928,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d2d1.dll [2013.02.28 10:04:37 | 001,424,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WindowsCodecs.dll [2013.02.13 23:20:23 | 005,553,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe [2013.02.13 23:20:23 | 003,967,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe [2013.02.13 23:20:22 | 003,913,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe [2013.02.13 23:19:00 | 000,215,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winsrv.dll [2013.02.13 23:19:00 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\setup16.exe [2013.02.13 23:19:00 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntvdm64.dll [2013.02.13 23:19:00 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\instnm.exe [2013.02.13 23:19:00 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wow32.dll [2013.02.13 23:18:59 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\user.exe [2013.02.13 23:18:39 | 000,288,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\FWPKCLNT.SYS [3 C:\Users\xxxxx\Desktop\*.tmp files -> C:\Users\xxxxx\Desktop\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2013.03.15 12:56:55 | 000,016,752 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013.03.15 12:56:55 | 000,016,752 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013.03.15 12:55:33 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\xxxxx\Desktop\OTL.exe [2013.03.15 12:49:32 | 000,000,035 | ---- | M] () -- C:\Users\Public\Documents\AtherosServiceConfig.ini [2013.03.15 12:49:22 | 000,001,104 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2013.03.15 12:48:05 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.03.15 12:48:01 | 3104,722,944 | -HS- | M] () -- C:\hiberfil.sys [2013.03.15 12:18:01 | 000,001,108 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2013.03.15 12:17:03 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013.03.15 11:59:02 | 000,001,138 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1480892100-3287089332-176741844-1001UA.job [2013.03.15 11:13:31 | 000,076,649 | ---- | M] () -- C:\Users\xxxxx\Desktop\FirewallWarnung.jpg [2013.03.15 00:30:15 | 000,001,116 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1480892100-3287089332-176741844-1001Core.job [2013.03.14 22:18:32 | 000,029,907 | ---- | M] () -- C:\Users\xxxxx\Desktop\Meldung.jpg [2013.03.13 13:17:19 | 000,693,976 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe [2013.03.13 13:17:19 | 000,073,432 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl [2013.02.14 11:00:48 | 000,297,712 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT [2013.02.14 10:35:41 | 001,522,246 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2013.02.14 10:35:41 | 000,654,844 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2013.02.14 10:35:41 | 000,616,686 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2013.02.14 10:35:41 | 000,130,426 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2013.02.14 10:35:41 | 000,106,808 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [3 C:\Users\xxxxx\Desktop\*.tmp files -> C:\Users\xxxxx\Desktop\*.tmp -> ] ========== Files Created - No Company Name ========== [2013.03.15 11:13:30 | 000,076,649 | ---- | C] () -- C:\Users\xxxxx\Desktop\FirewallWarnung.jpg [2013.03.14 22:18:31 | 000,029,907 | ---- | C] () -- C:\Users\xxxxx\Desktop\Meldung.jpg [2013.01.08 07:03:09 | 000,000,303 | ---- | C] () -- C:\Windows\wininit.ini [2012.05.21 10:12:31 | 000,001,025 | ---- | C] () -- C:\Windows\SysWow64\sysprs7.dll [2012.05.21 10:12:31 | 000,000,205 | ---- | C] () -- C:\Windows\SysWow64\lsprst7.dll [2011.10.19 10:33:05 | 001,526,948 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2011.10.12 16:38:10 | 000,262,546 | ---- | C] () -- C:\Windows\hpwins23.dat [2011.10.12 16:38:10 | 000,002,075 | ---- | C] () -- C:\Windows\hpwmdl23.dat [2011.06.09 08:36:27 | 000,066,856 | ---- | C] () -- C:\Windows\SysWow64\SynTPEnhPS.dll [2011.06.09 08:35:53 | 000,963,116 | ---- | C] () -- C:\Windows\SysWow64\igkrng600.bin [2011.06.09 08:35:52 | 000,214,760 | ---- | C] () -- C:\Windows\SysWow64\igfcg600m.bin [2011.06.09 08:35:51 | 000,056,832 | ---- | C] () -- C:\Windows\SysWow64\igdde32.dll [2011.06.09 08:35:50 | 000,145,804 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng600.bin [2011.06.09 08:35:49 | 013,355,008 | ---- | C] () -- C:\Windows\SysWow64\ig4icd32.dll [2011.06.09 08:15:07 | 000,131,984 | ---- | C] () -- C:\ProgramData\FullRemove.exe ========== ZeroAccess Check ========== [2009.07.14 05:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2012.06.09 06:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 05:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 02:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.21 04:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 02:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] ========== Alternate Data Streams ========== @Alternate Data Stream - 142 bytes -> C:\ProgramData\Temp:5925E400 < End of report > Code:
ATTFilter OTL Extras logfile created on: 15.03.2013 12:56:27 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\xxxxx\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
3,86 Gb Total Physical Memory | 2,08 Gb Available Physical Memory | 54,06% Memory free
7,71 Gb Paging File | 5,58 Gb Available in Paging File | 72,34% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 450,66 Gb Total Space | 392,77 Gb Free Space | 87,15% Space Free | Partition Type: NTFS
Computer Name: xxxxx-PC | User Name: xxxxx | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
[HKEY_USERS\S-1-5-21-1480892100-3287089332-176741844-1001\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{04A7B501-FD6F-4A69-AE21-1057B744A71B}" = lport=138 | protocol=17 | dir=in | app=system |
"{06765592-AEBD-4140-82E5-52FDAC6F95BA}" = rport=139 | protocol=6 | dir=out | app=system |
"{15BCEA2C-F1D4-4FB8-BCB8-EC5844A135FA}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{17C44204-59E4-4F93-8038-2BA28185403B}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{19BCE7BF-0D90-47FC-A08D-9CA2481FC0FB}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{1D150150-9E22-4847-B08B-B70461A377E0}" = rport=10243 | protocol=6 | dir=out | app=system |
"{1F64BC9D-B7BC-4540-8F5B-89B2C828F2B3}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{2542B2CF-073F-4907-BA57-4FDFDF3B145C}" = rport=138 | protocol=17 | dir=out | app=system |
"{2A5F9077-57A8-4FC2-A20E-F96D929488D9}" = lport=137 | protocol=17 | dir=in | app=system |
"{2E2B199C-24D7-4BFD-9C7A-A51FCBDBF4DD}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{651E082A-3A99-4A84-A853-BDFF60E73ED0}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{68CE0A04-1213-4DD9-A4CB-3E252A6C9BC6}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{76C74D2C-7157-4D80-8FA7-422BA8A5207E}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{AB68A9C0-6B2C-48D4-983C-C1FB666EBB8A}" = lport=139 | protocol=6 | dir=in | app=system |
"{B86A61B3-D0C5-41E6-B4C4-049ADBA4BBF0}" = rport=137 | protocol=17 | dir=out | app=system |
"{B870EB96-1C80-489A-A725-5F614D5FC91A}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{B92FDDE8-9386-43A2-B894-B1EAEF5207F4}" = rport=427 | protocol=17 | dir=in | svc=hpslpsvc | app=c:\windows\system32\svchost.exe |
"{BB05CBDA-383E-446F-B11E-C992D0C8D138}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{BB3C1922-0974-4AA9-AAFE-981B50DAF5E1}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
"{C7EE0F4E-42EF-4D1A-B80F-888EE15878D5}" = lport=445 | protocol=6 | dir=in | app=system |
"{CD495B0A-7D7D-4A65-B2F7-D0F4A0FE43BA}" = lport=2869 | protocol=6 | dir=in | app=system |
"{D3FE40D3-2E24-410D-8F50-17AB07AFC2D3}" = lport=10243 | protocol=6 | dir=in | app=system |
"{DBFA9B4D-9CAD-48B0-908F-C7A08B9E0325}" = rport=445 | protocol=6 | dir=out | app=system |
"{EBDA6B59-4B0D-477A-BCAD-F306320EBC8E}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0676C4D1-151E-4D05-AF6E-C80F76D7FC0C}" = dir=in | app=c:\program files (x86)\acer\acer vcm\rs_service.exe |
"{0A142BCF-8243-4102-B0CD-56F4F9674BF4}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{0C506629-6794-415F-962D-6932B8883857}" = dir=in | app=c:\program files (x86)\hp\hp software update\hpwucli.exe |
"{147560BA-2FA4-4E20-9460-9C44E6AE01C2}" = protocol=6 | dir=in | app=c:\users\xxxxx\appdata\roaming\dropbox\bin\dropbox.exe |
"{1988A297-4F41-4A91-95E4-74105EF5B55B}" = dir=in | app=c:\program files (x86)\windows live\contacts\wlcomm.exe |
"{19F66BAE-A4A5-4F90-9494-6646A76074B1}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpofxs08.exe |
"{201012C3-EAB6-4C75-9F1B-7555D58067BD}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe |
"{2352EA1A-53A4-4112-A794-88104AF10ABC}" = dir=in | app=c:\users\xxxxx\appdata\local\facebook\video\skype\facebookvideocalling.exe |
"{27DCC1E8-BDAE-47FC-9C97-0624178C34A2}" = dir=in | app=c:\program files (x86)\hp\digital imaging\smart web printing\smartwebprintexe.exe |
"{303C77F1-970A-456E-91B3-CA855B04D4B6}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{33B18FC4-A013-4137-BC1A-14F271E29DDF}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{38A7737E-D208-408F-9A90-564BEDBB1566}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{3ACD0411-CDC7-4956-9595-9DB768BFF58B}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqgplgtupl.exe |
"{3B248FF3-2C4B-4A20-9610-835CFD6A39A1}" = dir=in | app=c:\users\xxxxx\appdata\local\temp\7zs6c81\oj6500ve709_full_14\setup\hpznui40.exe |
"{3E714AA5-68D8-4172-9412-3168FAEC5749}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqtra08.exe |
"{4EAED004-FFE4-442A-B957-F2AD990931A0}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{4FEB33A3-7F01-4FDC-A675-B49EAE8232DB}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpoews01.exe |
"{52583D48-67FA-4647-AF7A-1B9DC6856AAD}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqusgm.exe |
"{552F75DF-3581-42CB-8E77-90D2FCD71FA1}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpiscnapp.exe |
"{557F0F61-8243-4DBB-8968-64D022982BD0}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{584C436F-31BA-4F39-85BB-B6E1A1EC8BD1}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpfccopy.exe |
"{5AC7303C-8320-4D17-A2B1-BBC95E3EA1D7}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqste08.exe |
"{5FF01F7D-07EC-49CA-A349-6416D12D9E09}" = protocol=6 | dir=out | app=system |
"{60B1EDC6-A1AE-4D30-8424-BA3E47C6A43C}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{6FFCF433-02C0-4DF6-B598-49B6073B5608}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{71BFE7D9-ABBB-4052-B3C7-30B05207C2DB}" = protocol=17 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{79B77EA3-F328-463B-8782-274193EB7FF8}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{7A7D18AC-B26C-45B2-91D5-E25B7F05157A}" = dir=in | app=c:\program files (x86)\windows live\mesh\moe.exe |
"{87D0BDB1-6A23-4B69-B52B-22CDAF2BC667}" = dir=in | app=c:\program files (x86)\acer\acer vcm\vc.exe |
"{910B68F0-1E23-4D4B-B78A-358B9927D680}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqkygrp.exe |
"{A841FB60-BB2E-47DC-BC62-EDDE48E293A7}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hposfx08.exe |
"{AF34E259-FA14-4C83-A951-B34CE5170EC5}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{BDC3263D-167F-4964-99AC-777CFBFC36AF}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpzwiz01.exe |
"{BF6248C7-43B7-43A7-9845-F9AC7D66D0E2}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{C0D434AF-A066-47B4-AEDF-21113394D0FF}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{CA492375-0D9F-4E51-9144-49A3F06E8CC9}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{CF62964E-05A5-4E17-A485-76BD69B03442}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqfxt08.exe |
"{D3C53138-DBDA-4F42-9C90-5C50B75CCC6C}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{D9341060-A7DD-4E4A-A796-62043206A724}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{D9FF2C53-6B21-4553-85C3-5E22726B07FB}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqgpc01.exe |
"{DA7DE859-C5ED-4E04-927A-C518F1BE9CEE}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{E451533B-B2C4-49D1-B974-C00655125A5C}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hposid01.exe |
"{E73179DA-0A81-48AC-8B1F-305893C440B7}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqusgh.exe |
"{EA1A0A64-4196-4503-94CC-CD6B7A7F478D}" = protocol=6 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{EE355B59-E3AC-4AD1-BD56-A9050F43776C}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{F042498C-CB49-4108-BD70-A74B0DCA0A36}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpofxm08.exe |
"{F7B81029-003E-4799-B34A-2AEBA36F620E}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{FC12867F-E0B8-45F1-A1CD-FC0C291C7420}" = protocol=17 | dir=in | app=c:\users\xxxxx\appdata\roaming\dropbox\bin\dropbox.exe |
"{FD892798-9BFE-49AA-9BF7-5279BCE79589}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"TCP Query User{1A2EEF3C-D0A9-450A-BFE9-59056FB6D6AF}C:\users\xxxxx\appdata\roaming\qygyyc\alme.exe" = protocol=6 | dir=in | app=c:\users\xxxxx\appdata\roaming\qygyyc\alme.exe |
"TCP Query User{4FEB6648-48EE-4943-8D4D-2AA07A047A2C}C:\program files\ibm\spss\statistics\20\jre\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files\ibm\spss\statistics\20\jre\bin\javaw.exe |
"TCP Query User{5A2A6A78-7D38-4051-820C-FAA1B862A693}C:\users\xxxxx\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=6 | dir=in | app=c:\users\xxxxx\appdata\roaming\dropbox\bin\dropbox.exe |
"TCP Query User{91D5DBA1-4AE0-4D39-867F-7FCED3190C9B}C:\program files\ibm\spss\statistics\20\stats.exe" = protocol=6 | dir=in | app=c:\program files\ibm\spss\statistics\20\stats.exe |
"TCP Query User{EEE63673-7265-4B76-B070-D37381BB4DD1}C:\program files\ibm\spss\statistics\20\jre\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files\ibm\spss\statistics\20\jre\bin\javaw.exe |
"UDP Query User{1E4685A0-E6BA-46B6-853D-44E3E0CE47FB}C:\program files\ibm\spss\statistics\20\stats.exe" = protocol=17 | dir=in | app=c:\program files\ibm\spss\statistics\20\stats.exe |
"UDP Query User{2E5A3611-9B8D-420F-ACCD-8AAF13927C13}C:\program files\ibm\spss\statistics\20\jre\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files\ibm\spss\statistics\20\jre\bin\javaw.exe |
"UDP Query User{4B6DE7E7-EB5D-402A-8BBD-DCC57BB40590}C:\users\xxxxx\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=17 | dir=in | app=c:\users\xxxxx\appdata\roaming\dropbox\bin\dropbox.exe |
"UDP Query User{5AA2FEC0-05CD-4220-86DB-765E1AFA18DE}C:\program files\ibm\spss\statistics\20\jre\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files\ibm\spss\statistics\20\jre\bin\javaw.exe |
"UDP Query User{9181BBEC-5F96-4E05-B09C-DA81806C3246}C:\users\xxxxx\appdata\roaming\qygyyc\alme.exe" = protocol=17 | dir=in | app=c:\users\xxxxx\appdata\roaming\qygyyc\alme.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0919C44F-F18A-4E3B-A737-03685272CE72}" = Windows Live Remote Service Resources
"{0E3DAF3D-FF69-345A-A99E-1FED304CA083}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{1553D712-B35F-4A82-BC72-D6B11A94BE3E}" = Windows Live Remote Service Resources
"{1685AE50-97ED-485B-80F6-145071EE14B0}" = Windows Live Remote Service Resources
"{17A4FD95-A507-43F1-BC92-D8572AF8340A}" = Windows Live Remote Service Resources
"{19F09425-3C20-4730-9E2A-FC2E17C9F362}" = Windows Live Remote Service Resources
"{1B8ABA62-74F0-47ED-B18C-A43128E591B8}" = Windows Live ID Sign-in Assistant
"{1EB2CFC3-E1C5-4FC4-B1F8-549DD6242C67}" = Windows Live Remote Service Resources
"{22AB5CFD-B3DB-414E-9F99-4D024CCF1DA6}" = Windows Live Remote Client Resources
"{230D1595-57DA-4933-8C4E-375797EBB7E1}" = Bluetooth Win7 Suite (64)
"{2426E29F-9E8C-4C0B-97FC-0DB690C1ED98}" = Windows Live Remote Client Resources
"{2AF8017B-E503-408F-AACE-8A335452CAD2}" = IBM SPSS Statistics 20
"{2C1A6191-9804-4FDC-AB01-6F9183C91A13}" = Windows Live Remote Client Resources
"{2F304EF4-0C31-47F4-8557-0641AAE4197C}" = Windows Live Remote Client Resources
"{34384A2A-2CA2-4446-AB0E-1F360BA2AAC5}" = Windows Live Remote Service Resources
"{350FD0E7-175A-4F86-84EF-05B77FCD7161}" = Windows Live Remote Service Resources
"{3921492E-82D2-4180-8124-E347AD2F2DB4}" = Windows Live Remote Client Resources
"{456FB9B5-AFBC-4761-BBDC-BA6BAFBB818F}" = Windows Live Remote Client Resources
"{480F28F0-8BCE-404A-A52E-0DBB7D1CE2EF}" = Windows Live Remote Service Resources
"{48C0866E-57EB-444C-8371-8E4321066BC3}" = Network64
"{4C2E49C0-9276-4324-841D-774CCCE5DB48}" = Windows Live Remote Client Resources
"{5141AA6E-5FAC-4473-BFFB-BEE69DDC7F2B}" = Windows Live Remote Service Resources
"{5151E2DB-0748-4FD1-86A2-72E2F94F8BE7}" = Windows Live Remote Service Resources
"{57F2BD1C-14A3-4785-8E48-2075B96EB2DF}" = Windows Live Remote Service Resources
"{58D79E62-CFC8-4331-8469-3A1B16E1769C}" = HP Officejet 6500 E709 Series
"{5E2CD4FB-4538-4831-8176-05D653C3E6D4}" = Windows Live Remote Service Resources
"{5F44A3A1-5D24-4708-8776-66B42B174C64}" = Windows Live Remote Client Resources
"{5FCD6EFE-C2E7-4D77-8212-4BA223D8DF8E}" = Windows Live Remote Client Resources
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{5FDC06BF-3D3D-4367-8FFB-4FAFCB61972D}" = Cisco Systems VPN Client 5.0.07.0440
"{5FEAD3E5-A158-4B66-B92B-0C959D7CF838}" = Windows Live Remote Service Resources
"{61407251-7F7D-4303-810D-226A04D5CFF3}" = Windows Live Remote Service Resources
"{656DEEDE-F6AC-47CA-A568-A1B4E34B5760}" = Windows Live Remote Service Resources
"{692CCE55-9EAE-4F57-A834-092882E7FE0B}" = Windows Live Remote Client Resources
"{6C9D3F1D-DBBE-46F9-96A0-726CC72935AF}" = Windows Live Remote Service Resources
"{6CBFDC3C-CF21-4C02-A6DC-A5A2707FAF55}" = Windows Live Remote Service Resources
"{702A632F-99CE-4E2D-B8F2-BF980E9CF62F}" = Windows Live Remote Client Resources
"{7AEC844D-448A-455E-A34E-E1032196BBCD}" = Windows Live Remote Service Resources
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{825C7D3F-D0B3-49D5-A42B-CBB0FBE85E99}" = Windows Live Remote Client Resources
"{847B0532-55E3-4AAF-8D7B-E3A1A7CD17E5}" = Windows Live Remote Client Resources
"{850B8072-2EA7-4EDC-B930-7FE569495E76}" = Windows Live Remote Client Resources
"{8970AE69-40BE-4058-9916-0ACB1B974A3D}" = Windows Live Remote Client Resources
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8EB588BD-D398-40D0-ADF7-BE1CEEF7C116}" = Windows Live Remote Client Resources
"{8F7F2D9C-2DBE-4F10-9C7C-2724110A3339}" = Windows Live Remote Service Resources
"{90140000-006D-0407-1000-0000000FF1CE}" = Microsoft Office Klick-und-Los 2010
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{97A295A7-8840-4B35-BB61-27A8F4512CA3}" = Windows Live Remote Service Resources
"{9E9C960F-7F47-46D5-A95D-950B354DE2B8}" = Windows Live Remote Service Resources
"{A060182D-CDBE-4AD6-B9B4-860B435D6CBD}" = Windows Live Remote Client Resources
"{A508D5A2-3AC1-4594-A718-A663D6D3CF11}" = Windows Live Remote Service Resources
"{A679FBE4-BA2D-4514-8834-030982C8B31A}" = Windows Live Remote Service Resources
"{A6E0F6BE-30AC-4D36-97B0-1AC20E23CB83}" = Windows Live Remote Client Resources
"{B0BF8602-EA52-4B0A-A2BD-EDABB0977030}" = Windows Live Remote Client Resources
"{B680A663-1A15-47A5-A07C-7DF9A97558B7}" = Windows Live Remote Client Resources
"{B750FA38-7AB0-42CB-ACBB-E7DBE9FF603F}" = Windows Live Remote Client Resources
"{BE930E38-7BB3-45B6-85B2-5251F374F844}" = 64 Bit HP CIO Components Installer
"{C504EC13-E122-4939-BD6E-EE5A3BAA5FEC}" = Windows Live Remote Client Resources
"{C9F05151-95A9-4B9B-B534-1760E2D014A5}" = Windows Live Remote Client Resources
"{CFF3C688-2198-4BC3-A399-598226949C39}" = Windows Live Remote Client Resources
"{D07A61E5-A59C-433C-BCBD-22025FA2287B}" = Windows Live Language Selector
"{D1C1556C-7FF3-48A3-A5D6-7126F0FAFB66}" = Windows Live Remote Client Resources
"{D3E4F422-7E0F-49C7-8B00-F42490D7A385}" = Windows Live Remote Service Resources
"{D5876F0A-B2E9-4376-B9F5-CD47B7B8D820}" = Windows Live Remote Client Resources
"{D930AF5C-5193-4616-887D-B974CEFC4970}" = Windows Live Remote Service Resources
"{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter
"{DBEDAF67-C5A3-4C91-951D-31F3FE63AF3F}" = Windows Live Remote Client Resources
"{DF6D988A-EEA0-4277-AAB8-158E086E439B}" = Windows Live Remote Client
"{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}" = Windows Live Remote Service
"{ED421F97-E1C3-4E78-9F54-A53888215D58}" = Windows Live Remote Client Resources
"{EFB20CF5-1A6D-41F3-8895-223346CE6291}" = Windows Live Remote Service Resources
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"{F6CB2C5F-B2C1-4DF1-BF44-39D0DC06FE6F}" = Windows Live Remote Service Resources
"{FAA3933C-6F0D-4350-B66B-9D7F7031343E}" = Windows Live Remote Service Resources
"{FAD0EC0B-753B-4A97-AD34-32AC1EC8DB69}" = Windows Live Remote Client Resources
"CNXT_AUDIO_HDA" = Conexant HD Audio
"HP Document Manager" = HP Document Manager 2.0
"HP Imaging Device Functions" = HP Imaging Device Functions 14.0
"HP Smart Web Printing" = HP Smart Web Printing 4.60
"HP Solution Center & Imaging Support Tools" = HP Solution Center 14.0
"HPExtendedCapabilities" = HP Customer Participation Program 14.0
"HPOCR" = OCR Software by I.R.I.S. 14.0
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Shop for HP Supplies" = Shop for HP Supplies
"SynTPDeinstKey" = Synaptics Pointing Device Driver
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{00884F14-05BD-4D8E-90E5-1ABF78948CA4}" = Windows Live Mesh
"{0125DB4D-98A0-4DBF-B68A-23BF08FFA6A3}" = Windows Live Messenger
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = Acer Crystal Eye Webcam
"{039480EE-6933-4845-88B8-77FD0C3D059D}" = Windows Live Mesh
"{047F790A-7A2A-4B6A-AD02-38092BA63DAC}" = Acer VCM
"{0557BBDA-69D3-4FA4-A93C-A5300F7034B4}" = Windows Live Writer
"{05E379CC-F626-4E7D-8354-463865B303BF}" = Windows Live UX Platform Language Pack
"{0654EA5D-308A-4196-882B-5C09744A5D81}" = Windows Live Photo Common
"{06A1D88C-E102-4527-AF70-29FFD7AF215A}" = Scan
"{06B05153-97E4-427E-B1A8-E098F6C5E52F}" = Windows Live Essentials
"{073F306D-9851-4969-B828-7B6444D07D55}" = Windows Live Photo Common
"{0785A0B6-07DF-43CF-B147-E1EB4CEA0345}" = Windows Live Messenger
"{09922FFE-D153-44AE-8B60-EA3CB8088F93}" = Windows Live UX Platform Language Pack
"{0A4C4B29-5A9D-4910-A13C-B920D5758744}" = بريد Windows Live
"{0A9256E0-C924-46DE-921B-F6C4548A1C64}" = Windows Live Messenger
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0B61BBD5-DA3C-409A-8730-0C3DC3B0F270}" = Backup Manager V3
"{0C1931EB-8339-4837-8BEC-75029BF42734}" = Windows Live UX Platform Language Pack
"{0C975FCC-A06E-4CB6-8F54-A9B52CF37781}" = Windows Liven sähköposti
"{0D261C88-454B-46FE-B43B-640E621BDA11}" = Windows Live Mail
"{0E52A52C-E120-461C-AA1B-21B045BEE842}" = bpd_scan
"{0EC0B576-90F9-43C3-8FAD-A4902DF4B8F4}" = Galeria de Fotografias do Windows Live
"{10186F1A-6A14-43DF-A404-F0105D09BB07}" = Windows Live Mail
"{110668B7-54C6-47C9-BAC4-1CE77F156AF5}" = Windows Live Mesh
"{1111706F-666A-4037-7777-210328764D10}" = JavaFX 2.1.0
"{11417707-1F72-4279-95A3-01E0B898BBF5}" = Windows Live Mesh
"{11778DA1-0495-4ED9-972F-F9E0B0367CD5}" = Windows Live Writer
"{1203DC60-D9BD-44F9-B372-2B8F227E6094}" = Windows Live Temel Parçalar
"{120C160F-F53D-4A15-A873-E79BF5B98B48}" = Windows Live Photo Common
"{128133D3-037A-4C62-B1B7-55666A10587A}" = Windows Live UX Platform Language Pack
"{133D9D67-D475-4407-AC3C-D558087B2453}" = Windows Live Movie Maker
"{1458BB78-1DC5-4BC0-B9A3-2B644F5A8105}" = DeviceDiscovery
"{14B441B7-774D-4170-98EA-A13667AE6218}" = Windows Live Writer Resources
"{150B6201-E9E6-4DFB-960E-CCBD53FBDDED}" = HPProductAssistant
"{168E7302-890A-4138-9109-A225ACAF7AD1}" = Windows Live Photo Common
"{17835B63-8308-427F-8CF5-D76E0D5FE457}" = Windows Live Essentials
"{17F99FCE-8F03-4439-860A-25C5A5434E18}" = Windows Live Essentials
"{198EA334-8A3F-4CB2-9D61-6C10B8168A6F}" = Windows Live Writer
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1A72337E-D126-4BAF-AC89-E6122DB71866}" = Windows Liven valokuvavalikoima
"{1A82AE99-84D3-486D-BAD6-675982603E14}" = Windows Live Writer
"{1D6C2068-807F-4B76-A0C2-62ED05656593}" = Windows Live Writer
"{1DA6D447-C54D-4833-84D4-3EA31CAECE9B}" = Windows Live UX Platform Language Pack
"{1DDB95A4-FD7B-4517-B3F1-2BCAA96879E6}" = Windows Live Writer Resources
"{1E2DBBE7-2DF6-417E-A8FA-D93F5BB16134}" = Reisebudget Planer
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{1FC83EAE-74C8-4C72-8400-2D8E40A017DE}" = Windows Live Writer
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{20381A8A-808E-4A53-B6CD-AD2B85E16365}" = Windows Live UX Platform Language Pack
"{220C7F8C-929D-4F71-9DC7-F7A6823B38E4}" = Windows Live UX Platform Language Pack
"{226F0D93-76DE-4F1C-B14D-DE10443ADB60}" = Windows Live Movie Maker
"{249EE21B-8EDD-4F36-8A23-E580E9DBE80A}" = Windows Live Mail
"{24DF33E0-F924-4D0D-9B96-11F28F0D602D}" = Windows Live UX Platform Language Pack
"{2511AAD7-82DF-4B97-B0B3-E1B933317010}" = Windows Live Writer Resources
"{25A381E1-0AB9-4E7A-ACCE-BA49D519CF4E}" = Windows Live Mail
"{25CD4B12-8CC5-433E-B723-C9CB41FA8C5A}" = Windows Live Writer
"{26A24AE4-039D-4CA4-87B4-2F83216029FF}" = Java(TM) 6 Update 29
"{26A24AE4-039D-4CA4-87B4-2F83217004FF}" = Java(TM) 7 Update 4
"{26E3C07C-7FF7-4362-9E99-9E49E383CF16}" = Windows Live Writer Resources
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{28B9D2D8-4304-483F-AD71-51890A063A74}" = Windows Live Photo Common
"{292F0F52-B62D-4E71-921B-89A682402201}" = Toolbox
"{29373E24-AC72-424E-8F2A-FB0F9436F21F}" = Windows Live Photo Common
"{2A07C35B-8384-4DA4-9A95-442B6C89A073}" = Windows Live Essentials
"{2AD2DD70-27F7-4343-BB4E-DE50A32D854B}" = Windows Live Messenger
"{2BA5FD10-653F-4CAF-9CCD-F685082A1DC1}" = Windows Live Writer
"{2C4E06CC-1F04-4C25-8B3C-93A9049EC42C}" = Windows Live UX Platform Language Pack
"{2C7E8AA1-9C03-4606-BF34-5D99D07964DA}" = Windows Live Messenger
"{2C865FB0-051E-4D22-AC62-428E035AEAF0}" = Windows Live Mesh
"{2D3E034E-F76B-410A-A169-55755D2637BB}" = Windows Live Mesh
"{2E50E321-4747-4EB5-9ECB-BBC6C3AC0F31}" = Windows Live Writer Resources
"{303143DD-1F6D-4BC5-9342-FFC2E19B2DBD}" = Windows Live Messenger
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
"{3125D9DE-8D7A-4987-95F3-8A42389833D8}" = Windows Live Writer Resources
"{33286280-8617-11E1-8FF6-B8AC6F97B88E}" = Google Earth Plug-in
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{34319F1F-7CF2-4CC9-B357-1AE7D2FF3AC5}" = Windows Live
"{34C4F5AF-D757-4E6A-ABCA-65AB5A50A1A8}" = Windows Live Messenger
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{370F888E-42A7-4911-9E34-7D74632E17EB}" = Windows Live Photo Common
"{37B33B16-2535-49E7-8990-32668708A0A3}" = Windows Live UX Platform Language Pack
"{39BDD209-5704-480C-9F4A-B69D0370DDBB}" = Windows Live Messenger
"{39F95B0B-A0B7-4FA7-BB6C-197DA2546468}" = Windows Live Mesh
"{3B72C1E0-26A1-40F6-8516-D50C651DFB3C}" = Windows Live Essentials
"{3B9A92DA-6374-4872-B646-253F18624D5F}" = Windows Live Writer
"{3BE02281-FCCF-44BB-8413-AC4A633059EB}" = BPDSoftware
"{3D0C22FA-96D7-4789-BC5B-991A5A99BFFA}" = Windows Live Messenger
"{3DB0448D-AD82-4923-B305-D001E521A964}" = Acer ePower Management
"{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel(R) Rapid Storage Technology
"{3F4143A1-9C21-4011-8679-3BC1014C6886}" = Windows Live Mesh
"{40BFD84C-64CD-42CC-9909-8734C50429C6}" = Windows Live UX Platform Language Pack
"{410DF0AA-882D-450D-9E1B-F5397ACFFA80}" = Windows Live Essentials
"{4264C020-850B-4F08-ACBE-98205D9C336C}" = Windows Live Writer
"{429DF1A0-3610-4E9E-8ACE-3C8AC1BA8FCA}" = Windows Live Photo Gallery
"{43B43577-2514-4CE0-B14A-7E85C17C0453}" = Windows Live Essentials
"{4444F27C-B1A8-464E-9486-4C37BAB39A09}" = Фотогалерия на Windows Live
"{458F399F-62AC-4747-99F5-499BBF073D29}" = Windows Live Writer Resources
"{4664ED39-C80A-48F7-93CD-EBDCAFAB6CC5}" = Windows Live Writer Resources
"{46872828-6453-4138-BE1C-CE35FBF67978}" = Windows Live Mesh
"{4736B0ED-F6A1-48EC-A1B7-C053027648F1}" = Galeria fotogràfica del Windows Live
"{488F0347-C4A7-4374-91A7-30818BEDA710}" = Galerie de photos Windows Live
"{48C0DC5E-820A-44F2-890E-29B68EDD3C78}" = Windows Live Writer
"{48F597DD-D397-4CFA-91A0-4C033A0113BD}" = Windows Live Mail
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A04DB63-8F81-4EF4-9D09-61A2057EF419}" = Windows Live Essentials
"{4A275FD1-2F24-4274-8C01-813F5AD1A92D}" = Windows Live Messenger
"{4B28D47A-5FF0-45F8-8745-11DC2A1C9D0F}" = Windows Live Writer
"{4C378B16-46B7-4DA1-A2CE-2EE676F74680}" = Windows Live UX Platform Language Pack
"{4D141929-141B-4605-95D6-2B8650C1C6DA}" = Windows Live UX Platform Language Pack
"{4D7BAC8A-51B8-4243-8567-1415C4272D13}" = Windows Live Writer
"{4D83F339-5A5C-4B21-8FD3-5D407B981E72}" = Windows Live Photo Common
"{50300123-F8FC-4B50-B449-E847D04F1BA2}" = Windows Live Messenger
"{506FC723-8E6C-4417-9CFF-351F99130425}" = Windows Live UX Platform Language Pack
"{523DF2BB-3A85-4047-9898-29DC8AEB7E69}" = Windows Live UX Platform Language Pack
"{5275D81E-83AD-4DE4-BC2B-6E6BA3A33244}" = Windows Live Writer Resources
"{5442DAB8-7177-49E1-8B22-09A049EA5996}" = Renesas Electronics USB 3.0 Host Controller Driver
"{5495E9A4-501A-4D4C-87C9-E80916CA9478}" = Windows Live UX Platform Language Pack
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{5B025634-7D5B-4B8D-BE2A-7943C1CF2D5D}" = Status
"{5C2F5C1B-9732-4F81-8FBF-6711627DC508}" = Windows Live Fotogalleri
"{5CF5B1A5-CBC3-42F0-8533-5A5090665862}" = Windows Live Mesh
"{5D273F60-0525-48BA-A5FB-D0CAA4A952AE}" = Windows Live Movie Maker
"{5D2E7BD7-4B6F-4086-BA8A-E88484750624}" = Windows Live Writer Resources
"{5D90ABE5-8A35-4947-8269-6F40BCE47A95}" = Windows Live Messenger
"{5DA7D148-D2D2-4C67-8444-2F0F9BD88A06}" = Windows Live Writer
"{5E627606-53B9-42D1-97E1-D03F6229E248}" = Windows Live UX Platform Language Pack
"{5F6E678A-7E61-448A-86CB-BC2AD1E04138}" = Windows Live Messenger
"{6057E21C-ABE9-4059-AE3E-3BEB9925E660}" = Windows Live Messenger
"{60C3C026-DB53-4DAB-8B97-7C1241F9A847}" = Windows Live Movie Maker
"{625D45F0-5DCB-48BF-8770-C240A84DAAEB}" = Windows Live Mesh
"{62687B11-58B5-4A18-9BC3-9DF4CE03F194}" = Windows Live Writer Resources
"{63AE67AA-1AB1-4565-B4EF-ABBC5C841E8D}" = Windows Live Messenger
"{63CF7D0C-B6E7-4EE9-8253-816B613CC437}" = Windows Live Mail
"{640798A0-A4FB-4C52-AC72-755134767F1E}" = Windows Live Movie Maker
"{64376910-1860-4CEF-8B34-AA5D205FC5F1}" = Poczta usługi Windows Live
"{644063FA-ABA3-42AC-A8AC-3EDC0706018B}" = Windows Live Mesh
"{6491AB99-A11E-41FD-A5E7-32DE8A097B8E}" = Windows Live Essentials
"{64B2D6B3-71AC-45A7-A6A1-2E07ABF58341}" = Windows Live Movie Maker
"{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel(R) Management Engine Components
"{677AAD91-1790-4FC5-B285-0E6A9D65F7DC}" = Windows Live Mail
"{6807427D-8D68-4D30-AF5B-0B38F8F948C8}" = Windows Live Writer Resources
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{68654483-9629-4CF5-88FF-9FB70B3BECDE}" = ProductContext
"{6986737B-F286-40D1-87AF-938339DCF6AB}" = Windows Live Messenger
"{69C9C672-400A-43A0-B2DE-9DB38C371282}" = Windows Live Writer
"{69CAC24D-B1DC-4B97-A1BE-FE21843108FE}" = Windows Live Writer Resources
"{6A4ABCDC-0A49-4132-944E-01FBCCB3465C}" = Windows Live UX Platform Language Pack
"{6A563426-3474-41C6-B847-42B39F1485B2}" = Windows Live Messenger
"{6ABE832B-A5C7-44C1-B697-3E123B7B4D5B}" = Windows Live Mesh
"{6B556C37-8919-4991-AC34-93D018B9EA49}" = Windows Live Photo Common
"{6CB36609-E3A6-446C-A3C1-C71E311D2B9C}" = Windows Live Movie Maker
"{6D30E864-46AE-435B-8230-8B5D42B4AE37}" = Windows Live Messenger
"{6DEC8BD5-7574-47FA-B080-492BBBE2FEA3}" = Windows Live Movie Maker
"{6EE9F44A-B8C7-4CDB-B2A9-441AF2AE315A}" = Windows Live Messenger
"{6EF2BE2C-3121-48B7-B7A6-C56046B3A588}" = Windows Live Movie Maker
"{6F37D92B-41AA-44B7-80D2-457ABDE11896}" = Windows Live Photo Common
"{709E38A9-7F80-4598-96CC-44B0D553FECE}" = Windows Live Messenger
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{71527C7C-5289-4CB2-88C9-23344C0FF6C1}" = Windows Live Movie Maker
"{71A81378-79D5-40CC-9BDC-380642D1A87F}" = Windows Live Writer
"{71C95134-F6A9-45E7-B7B3-07CA6012BF2A}" = Windows Live Mesh
"{7272F232-A7E0-4B2B-A5D2-71B7C5E2379C}" = Windows Live Fotótár
"{7327080F-6673-421F-BBD9-B618F357EEB3}" = Windows Live UX Platform Language Pack
"{734104DE-C2BF-412F-BB97-FCCE1EC94229}" = Windows Live Writer Resources
"{7373E17D-18E0-44A7-AC3A-6A3BFB85D3B3}" = Windows Live Movie Maker
"{73FC3510-6421-40F7-9503-EDAE4D0CF70D}" = Windows Live Photo Common
"{7465A996-0FCA-4D2D-A52C-F833B0829B5B}" = Windows Live Movie Maker
"{7496FD31-E5CB-4AE4-82D3-31099558BF6A}" = Windows Live Mesh
"{74DC0593-6BC6-4001-AD5F-D810AFB68D86}" = HP Update
"{74E8A7F6-575D-42C7-9178-E87D1B3BEFE8}" = Windows Live UX Platform Language Pack
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77477AEA-5757-47D8-8B33-939F43D82218}" = Windows Live UX Platform Language Pack
"{77F69CA1-E53D-4D77-8BA3-FA07606CC851}" = Фотоальбом Windows Live
"{78906B56-0E81-42A7-AC25-F54C946E1538}" = Windows Live Photo Common
"{78DAE910-CA72-450E-AD22-772CB1A00678}" = Windows Live Mesh
"{7A9D47BA-6D50-4087-866F-0800D8B89383}" = Podstawowe programy Windows Live
"{7ADFA72D-2A9F-4DEC-80A5-2FAA27E23F0F}" = Windows Live Photo Common
"{7AF8E500-B349-4A77-8265-9854E9A47925}" = Windows Live Movie Maker
"{7BA19818-F717-4DFB-BC11-FAF17B2B8AEE}" = Pošta Windows Live
"{7C2A3479-A5A0-412B-B0E6-6D64CBB9B251}" = Windows Live Photo Common
"{7CB529B2-6C74-4878-9C3F-C29C3C3BBDC6}" = Windows Live Writer Resources
"{7D0DE76C-874E-4BDE-A204-F4240160693E}" = Windows Live Photo Common
"{7D1C7B9F-2744-4388-B128-5C75B8BCCC84}" = Windows Live Essentials
"{7D926AD2-16D6-42C2-8CA1-AB09E96040BA}" = Windows Live Writer Resources
"{7D99B933-E29C-4599-92F0-DAED2AF041E3}" = Windows Live Essentials
"{7E017923-16F8-4E32-94EF-0A150BD196FE}" = Windows Live Writer
"{7E90B133-FF47-48BB-91B8-36FC5A548FE9}" = Windows Live Writer Resources
"{7F6021AE-E688-4D03-843A-C2260482BA0D}" = Windows Live Messenger
"{7F811A54-5A09-4579-90E1-C93498E230D9}" = Acer eRecovery Management
"{7FF11E53-C002-4F40-8D68-6BE751E5DD62}" = Windows Live Writer Resources
"{804DE397-F82C-4867-9085-E0AA539A3294}" = Windows Live Writer
"{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
"{80E8C65A-8F70-4585-88A2-ABC54BABD576}" = Windows Live Mesh
"{827D3E4A-0186-48B7-9801-7D1E9DD40C07}" = Windows Live Essentials
"{82803FF3-563F-414F-A403-8D4C167D4120}" = Windows Live Mail
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{841F1FB4-FDF8-461C-A496-3E1CFD84C0B5}" = Windows Live Mesh
"{84267681-BF16-40B6-9564-27BC57D7D71C}" = Windows Live Photo Common
"{84A411F9-40A5-4CDA-BF46-E09FBB2BC313}" = Windows Live Essentials
"{85373DA7-834E-4850-8AF5-1D99F7526857}" = Windows Live Photo Common
"{859D4022-B76D-40DE-96EF-C90CDA263F44}" = Windows Live Writer
"{861B1145-7762-4794-B40C-3FF0A389DFE6}" = Windows Live Photo Gallery
"{86F444A5-C9B9-41DC-AF28-B5E46F5497C7}" = Windows Live Argazki Galeria
"{873E4648-6F6E-47F6-A7B2-A6F8DFABDCE6}" = Windows Live Messenger
"{885F1BCD-C344-4758-85BD-09640CF449A5}" = Windows Live Photo Gallery
"{8909CFA8-97BF-4077-AC0F-6925243FFE08}" = Windows Liven asennustyökalu
"{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
"{8CF5D47D-27B7-49D6-A14F-10550B92749D}" = Windows Live UX Platform Language Pack
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{8E285C75-9BE2-4349-972B-DECDDF472656}" = Windows Live Writer Resources
"{8EE94FD8-5F52-4463-A340-185D16328158}" = WebReg
"{8FF6F5CA-4E30-4E3B-B951-204CAAA2716A}" = SmartWebPrinting
"{90140011-0061-0407-0000-0000000FF1CE}" = Microsoft Office Home and Student 2010 - Deutsch
"{924B4D82-1B97-48EB-8F1E-55C4353C22DB}" = Windows Live Mail
"{9294F169-72EE-4D74-AE92-CA25F64B4FF8}" = Fax
"{92A51949-EE4C-466D-AAF0-99E74A49A63F}" = DocMgr
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{93C4B7D5-4E00-491F-BA3E-25B7B63EE7F6}" = Windows Live Mail
"{93E464B3-D075-4989-87FD-A828B5C308B1}" = Windows Live Writer Resources
"{97F77D62-5110-4FA3-A2D3-410B92D31199}" = Windows Live Fotogaléria
"{99BE7F5D-AB52-4404-9E03-4240FFAA7DE9}" = Windows Live Mesh
"{99F67894-9486-413F-94E1-8B12B1606EAB}" = BPDSoftware_Ini
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9B362566-EC1B-4700-BB9C-EC661BDE2175}" = DocProc
"{9BD262D0-B788-4546-A0A5-F4F56EC3834B}" = Windows Live Photo Common
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{9DA3F03B-2CEE-4344-838E-117861E61FAF}" = Windows Live Mail
"{9DB90178-B5B0-45BD-B0A7-D40A6A1DF1CA}" = Windows Live Movie Maker
"{9E2C5B0E-7A2D-4767-A9B2-77469FB1873A}" = Windows Live Mesh
"{9FAE6E8D-E686-49F5-A574-0A58DFD9580C}" = Windows Live Mail
"{A0B91308-6666-4249-8FF6-1E11AFD75FE1}" = Windows Live Mail
"{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
"{A101F637-2E56-42C0-8E08-F1E9086BFAF3}" = Windows Live Movie Maker
"{A199DB88-E22D-4CE7-90AC-B8BE396D7BF4}" = Windows Live Movie Maker
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A41A708E-3BE6-4561-855D-44027C1CF0F8}" = Windows Live Photo Common
"{A60B3BF0-954B-42AF-B8D8-2C1D34B613AA}" = Windows Live Photo Gallery
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AA787E05-E835-4812-AA3D-4048C8A46587}" = 6500_E709_eDocs
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{AB0B2113-5B96-4B95-8AD1-44613384911F}" = Windows Live Mesh
"{AB78C965-5C67-409B-8433-D7B5BDB12073}" = Windows Live Writer Resources
"{ABD534B7-E951-470E-92C2-CD5AF1735726}" = Windows Live Essentials
"{ABE2F2AA-7ADC-4717-9573-BF3F83C696AC}" = Windows Live Mail
"{AC35A885-0F8F-4857-B7DA-6E8DFB43E6B3}" = HPSSupply
"{AC76BA86-7AD7-1031-7B44-AB0000000001}" = Adobe Reader XI (11.0.01) - Deutsch
"{ACFBE99B-6981-4513-B17E-A2683CEB9EE5}" = Windows Live Mesh
"{AD001A69-88CC-4766-B2DB-3C1DFAB9AC72}" = Windows Live Mesh
"{ADE85655-8D1E-4E4B-BF88-5E312FB2C74F}" = Windows Live Mail
"{ADFE4AED-7F8E-4658-8D6E-742B15B9F120}" = Windows Live Photo Common
"{AF01B90A-D25C-4F60-AECD-6EEDF509DC11}" = Windows Live Mesh
"{B0AD205F-60D0-4084-AFB8-34D9A706D9A8}" = Windows Live Essentials
"{B113D18C-67B0-4FB7-B329-E89B66194AE6}" = Windows Live Fotogalerie
"{B1239994-A850-44E2-BED8-E70A21124E16}" = Windows Live Mail
"{B2BCA478-EC0F-45EE-A9E9-5EABE87EA72D}" = Windows Live Photo Common
"{B33B61FE-701F-425F-98AB-2B85725CBF68}" = Windows Live Photo Common
"{B3BE54A4-8DFE-4593-8E66-56AB7133B812}" = Windows Live Writer
"{B618C3BF-5142-4630-81DD-F96864F97C7E}" = Windows Live Essentials
"{B63F0CE3-CCD0-490A-9A9C-E1A3B3A17137}" = Почта Windows Live
"{B7B67AA5-12DA-4F01-918D-B1BF66779D8A}" = Windows Live Writer Resources
"{B92C5909-1D37-4C51-8397-A28BB28E5DC3}" = Facebook Video Calling 1.2.0.287
"{BB3447F6-9553-4AA9-960E-0DB5310C5779}" = GPBaseService2
"{BC5DD87B-0143-4D14-AAE6-97109614DC6B}" = SolutionCenter
"{BD4EBDB5-EB14-4120-BB04-BE0A26C7FB3E}" = Windows Live Photo Common
"{BD695C2F-3EA0-4DA4-92D5-154072468721}" = Windows Live Fotoğraf Galerisi
"{BD7204BA-DD64-499E-9B55-6A282CDF4FA4}" = Destinations
"{BF022D76-9F72-4203-B8FA-6522DC66DFDA}" = Windows Live Movie Maker
"{BF35168D-F6F9-4202-BA87-86B5E3C9BF7A}" = Windows Live Mesh
"{C00C2A91-6CB3-483F-80B3-2958E29468F1}" = Συλλογή φωτογραφιών του Windows Live
"{C01FCACE-CC3D-49A2-ADC2-583A49857C58}" = Windows Live Essentials
"{C08D5964-C42F-48EE-A893-2396F9562A7C}" = Windows Live Mesh
"{C1594429-8296-4652-BF54-9DBE4932A44C}" = Realtek PCIE Card Reader
"{C1C9D199-B4DD-4895-92DD-9A726A2FE341}" = Windows Live Writer
"{C29FC15D-E84B-4EEC-8505-4DED94414C59}" = Windows Live Writer Resources
"{C2AB7DC4-489E-4BE9-887A-52262FBADBE0}" = Windows Live Photo Common
"{C454280F-3C3E-4929-B60E-9E6CED5717E7}" = Windows Live Mail
"{C607265F-86AA-4B42-9F9B-D0ED2E4AACA6}" = 6500_E709a
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{C8421D85-CA0E-4E93-A9A9-B826C4FB88EA}" = Windows Live Mail
"{C893D8C0-1BA0-4517-B11C-E89B65E72F70}" = Windows Live Photo Common
"{CB3F59BB-7858-41A1-A7EA-4B8A6FC7D431}" = Galeria fotografii usługi Windows Live
"{CB66242D-12B1-4494-82D2-6F53A7E024A3}" = Galerie foto Windows Live
"{CB7224D9-6DCA-43F1-8F83-6B1E39A00F92}" = Windows Live Movie Maker
"{CD31E63D-47FD-491C-8117-CF201D0AFAB5}" = TrayApp
"{CD442136-9115-4236-9C14-278F6A9DCB3F}" = Windows Live Movie Maker
"{CD7CB1E6-267A-408F-877D-B532AD2C882E}" = Windows Live Photo Common
"{CDC39BF2-9697-4959-B893-A2EE05EF6ACB}" = Windows Live Writer
"{CE929F09-3853-4180-BD90-30764BFF7136}" = גלריית התמונות של Windows Live
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{CF671BFE-6BA3-44E7-98C1-500D9C51D947}" = Windows Live Photo Gallery
"{D07B1FDA-876B-4914-9E9A-309732B6D44F}" = Windows Live Mail
"{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
"{D299197D-CDEA-41A6-A363-F532DE4114FD}" = Windows Live UX Platform Language Pack
"{D31169F2-CD71-4337-B783-3E53F29F4CAD}" = Windows Live Mail
"{D360FA88-17C8-4F14-B67F-13AAF9607B12}" = MarketResearch
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{D54A52A8-DF24-4CE8-850B-074CA47DFA74}" = Windows Live Messenger
"{D588365A-AE39-4F27-BDAE-B4E72C8E900C}" = Windows Live Mail
"{D6C3C9E7-D334-4918-BD57-5B1EF14C207D}" = Bing Bar
"{D6CBB3B2-F510-483D-AE0D-1CF3F43CF1EE}" = Windows Live Writer Resources
"{D6F25CF9-4E87-43EB-B324-C12BE9CDD668}" = Windows Live UX Platform Language Pack
"{DA29F644-2420-4448-8128-1331BE588999}" = Windows Live Writer
"{DAEF48AD-89C8-4A93-B1DD-45B7E4FB6071}" = Windows Live Movie Maker
"{DB1208F4-B2FE-44E9-BFE6-8824DBD7891B}" = Windows Live Movie Maker
"{DBAA2B17-D596-4195-A169-BA2166B0D69B}" = Windows Live Mail
"{DCAB6BA7-6533-44BF-9235-E5BF33B7431C}" = Windows Live Writer
"{DDC1E1BD-7615-4186-89E1-F5F43F9B6491}" = Windows Live Movie Maker
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{DE7C13A6-E4EA-4296-B0D5-5D7E8AD69501}" = Windows Live Writer
"{DE8F99FD-2FC7-4C98-AA67-2729FDE1F040}" = Windows Live Writer Resources
"{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
"{DEF91E0F-D266-453D-B6F2-1BA002B40CB6}" = Windows Live Essentials
"{DF71ABBB-B834-41C0-BB58-80B0545D754C}" = Windows Live UX Platform Language Pack
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E4E88B54-4777-4659-967A-2EED1E6AFD83}" = Windows Live Movie Maker
"{E5377D46-83C5-445A-A1F1-830336B42A10}" = Windows Live Galerija fotografija
"{E55E0C35-AC3C-4683-BA2F-834348577B80}" = Windows Live Writer
"{E59969EA-3B5B-4B24-8B94-43842A7FBFE9}" = Fotogalerija Windows Live
"{E5DD4723-FE0B-436E-A815-DC23CF902A0B}" = Windows Live UX Platform Language Pack
"{E62E0550-C098-43A2-B54B-03FB1E634483}" = Windows Live Writer
"{E727A662-AF9F-4DEE-81C5-F4A1686F3DFC}" = Windows Live Writer Resources
"{E7688C7D-DE09-4D43-9785-534EDE9BC18E}" = Windows Live Messenger
"{E83DC314-C926-4214-AD58-147691D6FE9F}" = Основные компоненты Windows Live
"{E8524B28-3BBB-4763-AC83-0E83FE31C350}" = Windows Live Writer
"{E85A4EFC-82F2-4CEE-8A8E-62FDAD353A66}" = Galería fotográfica de Windows Live
"{E9D98402-21AB-4E9F-BF6B-47AF36EF7E97}" = Windows Live Writer Resources
"{EA777812-4905-4C08-8F6E-13BDCC734609}" = Windows Live UX Platform Language Pack
"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
"{ED16B700-D91F-44B0-867C-7EB5253CA38D}" = Raccolta foto di Windows Live
"{EE171732-BEB4-4576-887D-CB62727F01CA}" = Acer Updater
"{EE492B20-FB15-4A98-883C-3054354A11F8}" = Windows Live Messenger
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
"{EEF99142-3357-402C-B298-DEC303E12D92}" = Windows Live 影像中心
"{EF7EAB13-46FC-49DD-8E3C-AAF8A286C5BB}" = Windows Live 程式集
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Processor Graphics
"{F0F5D89A-197C-495B-827E-3E98B811CD2E}" = Windows Live Photo Common
"{F0F9505B-3ACF-4158-9311-D0285136AA00}" = Windows Live Essentials
"{F13587F7-AA4C-4C2E-AE7D-F33F3CCE57A9}" = Windows Live Messenger
"{F4BEA6C1-AAC3-4810-AAEA-588E26E0F237}" = Windows Live UX Platform Language Pack
"{F52C5BE7-3F57-464E-8A54-908402E43CE8}" = Windows Live Writer Resources
"{F53A49E6-9FB1-4A5A-B1D9-82BA116196B7}" = Acer USB Charge Manager
"{F53B432E-BD19-4400-BFA0-2BBD16410F8F}" = 6500_E709_Help
"{F694D1F7-1F12-4550-9B7A-C871273ABAD5}" = Windows Live Messenger
"{F7A46527-DF1F-4B0F-9637-98547E189442}" = Windows Live Galeria de Fotos
"{F7E80BA7-A09D-4DD1-828B-C4A0274D4720}" = Windows Live Mesh
"{F80E5450-3EF3-4270-B26C-6AC53BEC5E76}" = Windows Live Movie Maker
"{F8A9085D-4C7A-41a9-8A77-C8998A96C421}" = Intel(R) Control Center
"{F95E4EE0-0C6E-4273-B6B9-91FD6F071D76}" = Windows Live Essentials
"{FA0FF682-CC70-4C57-93CD-E276F3E7537E}" = BufferChm
"{FA6CF94F-DACF-4FE7-959D-55C421B91B17}" = Windows Live Mail
"{FB3D07AE-73D0-47A9-AC12-6F50BF8B6202}" = Windows Live Movie Maker
"{FB79FDB7-4DE1-453D-99FE-9A880F57380E}" = Windows Live Fotogalerie
"{FBCA06D2-4642-4F33-B20A-A7AB3F0D2E69}" = معرض صور Windows Live
"{FCBC19F7-E068-4B7A-ACBB-CE9CCEB4B21F}" = Windows Live Messenger
"{FCDE76CB-989D-4E32-9739-6A272D2B0ED7}" = Windows Live Mesh
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"{FE62C88B-425B-4BDE-8B70-CD5AE3B83176}" = Windows Live Essentials
"{FEEF7F78-5876-438B-B554-C4CC426A4302}" = Windows Live Essentials
"{FF105207-8423-4E13-B0B1-50753170B245}" = Windows Live Movie Maker
"{FF3DFA01-1E98-46B4-A065-DA8AD47C9598}" = Windows Live Movie Maker
"{FF737490-5A2D-4269-9D82-97DB2F7C0B09}" = Windows Live Movie Maker
"Acer Registration" = Acer Registration
"Acer Screensaver" = Acer ScreenSaver
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Avira AntiVir Desktop" = Avira Free Antivirus
"Identity Card" = Identity Card
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = Acer Crystal Eye Webcam
"InstallShield_{0B61BBD5-DA3C-409A-8730-0C3DC3B0F270}" = Acer Backup Manager
"InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}" = Renesas Electronics USB 3.0 Host Controller Driver
"LManager" = Launch Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.70.0.1100
"McAfee Security Scan" = McAfee Security Scan Plus
"Mozilla Firefox 19.0.2 (x86 de)" = Mozilla Firefox 19.0.2 (x86 de)
"Mozilla Thunderbird 17.0.4 (x86 de)" = Mozilla Thunderbird 17.0.4 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Office14.Click2Run" = Microsoft Office Klick-und-Los 2010
"VLC media player" = VLC media player 1.1.11
"WinLiveSuite" = Windows Live Essentials
========== HKEY_USERS Uninstall List ==========
[HKEY_USERS\S-1-5-21-1480892100-3287089332-176741844-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 04.07.2012 04:01:46 | Computer Name = xxxxx-PC | Source = WinMgmt | ID = 10
Description =
Error - 04.07.2012 17:58:19 | Computer Name = xxxxx-PC | Source = WinMgmt | ID = 10
Description =
Error - 05.07.2012 03:17:28 | Computer Name = xxxxx-PC | Source = WinMgmt | ID = 10
Description =
Error - 05.07.2012 06:25:36 | Computer Name = xxxxx-PC | Source = WinMgmt | ID = 10
Description =
Error - 05.07.2012 09:43:04 | Computer Name = xxxxx-PC | Source = WinMgmt | ID = 10
Description =
Error - 05.07.2012 18:41:28 | Computer Name = xxxxx-PC | Source = WinMgmt | ID = 10
Description =
Error - 06.07.2012 03:56:52 | Computer Name = xxxxx-PC | Source = WinMgmt | ID = 10
Description =
Error - 07.07.2012 02:50:43 | Computer Name = xxxxx-PC | Source = WinMgmt | ID = 10
Description =
Error - 08.07.2012 07:32:37 | Computer Name = xxxxx-PC | Source = WinMgmt | ID = 10
Description =
Error - 09.07.2012 02:24:24 | Computer Name = xxxxx-PC | Source = WinMgmt | ID = 10
Description =
[ System Events ]
Error - 24.02.2013 15:50:31 | Computer Name = xxxxx-PC | Source = DCOM | ID = 10010
Description =
Error - 25.02.2013 14:01:09 | Computer Name = xxxxx-PC | Source = Service Control Manager | ID = 7034
Description = Dienst "Google Update-Dienst (gupdate)" wurde unerwartet beendet.
Dies ist bereits 1 Mal passiert.
Error - 28.02.2013 10:39:30 | Computer Name = xxxxx-PC | Source = Service Control Manager | ID = 7034
Description = Dienst "HP Network Devices Support" wurde unerwartet beendet. Dies
ist bereits 1 Mal passiert.
Error - 02.03.2013 05:14:21 | Computer Name = xxxxx-PC | Source = DCOM | ID = 10010
Description =
Error - 02.03.2013 11:38:37 | Computer Name = xxxxx-PC | Source = Service Control Manager | ID = 7034
Description = Dienst "Google Update-Dienst (gupdate)" wurde unerwartet beendet.
Dies ist bereits 1 Mal passiert.
Error - 07.03.2013 09:11:47 | Computer Name = xxxxx-PC | Source = DCOM | ID = 10010
Description =
Error - 08.03.2013 02:46:57 | Computer Name = xxxxx-PC | Source = Service Control Manager | ID = 7000
Description = Der Dienst "Google Update-Dienst (gupdate)" wurde aufgrund folgenden
Fehlers nicht gestartet: %%109
Error - 08.03.2013 02:46:57 | Computer Name = xxxxx-PC | Source = DCOM | ID = 10005
Description =
Error - 10.03.2013 11:47:34 | Computer Name = xxxxx-PC | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am ?10.?03.?2013 um 15:29:03 unerwartet heruntergefahren.
Error - 12.03.2013 18:22:54 | Computer Name = xxxxx-PC | Source = DCOM | ID = 10010
Description =
< End of report >
Noch ein kleiner Nachtrag: Die Mail mit dem entsprechenden Anhang habe ich noch im Postfach und könnte sie an jemanden weiterleiten, falls das erwünscht ist. |
|
15.03.2013, 13:49
| #4 |
| /// Helfer-Team  | Infizierung durch Matsnu Trojaner von Groupon Die Bereinigung besteht aus mehreren Schritten, die ausgefuehrt werden muessen. Diese Nacheinander abarbeiten und die 3 Logs, die dabei erstellt werden bitte in deine naechste Antwort einfuegen. Sollte der OTL-FIX nicht richig durchgelaufen sein. Fahre nicht fort, sondern melde dies bitte. 1. Schritt Fixen mit OTL Lade (falls noch nicht vorhanden) OTL von Oldtimer herunter und speichere es auf Deinem Desktop (nicht woanders hin).
Ersetze die *** Sternchen wieder in den Benutzernamen zurück! Code:
ATTFilter :OTL
O4 - HKU\S-1-5-21-1480892100-3287089332-176741844-1001..\Run: [kjbnutye] C:\Users\xxxxx\Bpcrkpilfoq\fmkcfutye.exe (ARM Limited)
O4 - HKU\S-1-5-21-1480892100-3287089332-176741844-1001..\Run: [Opige] C:\Users\xxxxx\AppData\Roaming\Qygyyc\alme.exe File not found
O4 - HKU\S-1-5-21-1480892100-3287089332-176741844-1001..\Run: [userft] "C:\Users\xxxxx\AppData\Roaming\userft.exe" -autorun File not found
@Alternate Data Stream - 142 bytes -> C:\ProgramData\Temp:5925E400
[2013.03.15 11:08:58 | 000,000,000 | ---D | C] -- C:\Users\xxxxx\AppData\Roaming\Xoysba
[2013.03.15 11:08:58 | 000,000,000 | ---D | C] -- C:\Users\xxxxx\AppData\Roaming\Qygyyc
[2013.03.15 11:08:58 | 000,000,000 | ---D | C] -- C:\Users\xxxxx\AppData\Roaming\Cyqeb
:Files
C:\ProgramData\*.exe
C:\ProgramData\*.dll
C:\ProgramData\*.tmp
C:\ProgramData\TEMP
C:\Users\xxxxx\*.tmp
C:\Users\xxxxx\AppData\*.dll
C:\Users\xxxxx\AppData\*.exe
C:\Users\xxxxx\AppData\Local\Temp\*.exe
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache
ipconfig /flushdns /c
:Commands
[emptytemp]
Hinweis für Mitleser: Obiges OTL-Script ist ausschließlich für diesen User in dieser Situtation erstellt worden. Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen! 2. Schritt Downloade dir bitte  Malwarebytes Anti-Rootkit und speichere es auf deinem Desktop.
Starte keine andere Datei in diesem Ordner ohne Anweisung eines Helfers danach: 3. Schritt Downloade Dir bitte  AdwCleaner auf deinen Desktop.
|
|
15.03.2013, 15:01
| #5 |
| | Infizierung durch Matsnu Trojaner von Groupon Ok, vielen Dank schon einmal für dein Hilfe: Bevor ich deinen post gelesen habe, hatte ich schon einen GMER Scan gemacht. Das Ergebnis schreib ich einfach mal, ich weiß nciht ob es von Nutzen ist: Code:
ATTFilter GMER 2.1.19155 - hxxp://www.gmer.net
Rootkit scan 2013-03-15 14:25:28
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD50 rev.01.0 465,76GB
Running: ji6f9suz.exe; Driver: C:\Users\xxxxx\AppData\Local\Temp\kwloypoc.sys
---- User code sections - GMER 2.1 ----
.text C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe[1916] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778a1465 2 bytes [8A, 77]
.text C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe[1916] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778a14bb 2 bytes [8A, 77]
.text ... * 2
.text C:\Windows\SysWOW64\svchost.exe[2556] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778a1465 2 bytes [8A, 77]
.text C:\Windows\SysWOW64\svchost.exe[2556] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778a14bb 2 bytes [8A, 77]
.text ... * 2
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778a1465 2 bytes [8A, 77]
.text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778a14bb 2 bytes [8A, 77]
.text ... * 2
.text C:\Program Files (x86)\Launch Manager\LManager.exe[2748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778a1465 2 bytes [8A, 77]
.text C:\Program Files (x86)\Launch Manager\LManager.exe[2748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778a14bb 2 bytes [8A, 77]
.text ... * 2
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778a1465 2 bytes [8A, 77]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778a14bb 2 bytes [8A, 77]
.text ... * 2
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[3056] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778a1465 2 bytes [8A, 77]
.text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[3056] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778a14bb 2 bytes [8A, 77]
.text ... * 2
.text C:\Users\xxxxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[3628] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 00000000778a1465 2 bytes [8A, 77]
.text C:\Users\xxxxx\AppData\Roaming\Dropbox\bin\Dropbox.exe[3628] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 00000000778a14bb 2 bytes [8A, 77]
.text ... * 2
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE[3728] C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE!?SparseBitMask@DataSourceDescription@FlexUI@@2HB + 960 000000002d895984 4 bytes [2E, 2B, F3, 13]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE[3728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778a1465 2 bytes [8A, 77]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE[3728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778a14bb 2 bytes [8A, 77]
.text ... * 2
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3908] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778a1465 2 bytes [8A, 77]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3908] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778a14bb 2 bytes [8A, 77]
.text ... * 2
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778ef9c0 5 bytes JMP 000000016c925f49
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtQueryObject 00000000778ef9d8 5 bytes JMP 000000016c926411
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey 00000000778efa08 5 bytes JMP 000000016c92016d
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 00000000778efa20 5 bytes JMP 000000016c91fbca
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey 00000000778efa70 5 bytes JMP 000000016c91fa44
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 00000000778efa88 2 bytes JMP 000000016c91fb52
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey + 3 00000000778efa8b 2 bytes [03, F5]
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey 00000000778efb20 5 bytes JMP 000000016c920424
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 00000000778efc18 5 bytes JMP 000000016c924369
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey 00000000778efd2c 5 bytes JMP 000000016c91f9cc
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778efd44 5 bytes JMP 000000016c924959
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 00000000778efd78 5 bytes JMP 000000016c9239de
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000778efe24 5 bytes JMP 000000016c925fc4
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 00000000778efe3c 5 bytes JMP 000000016c924adb
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778f0094 5 bytes JMP 000000016c924791
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000778f01a4 5 bytes JMP 000000016c91fc42
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile 00000000778f09c4 5 bytes JMP 000000016c924584
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey 00000000778f09dc 5 bytes JMP 000000016c91cc5b
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 00000000778f0a24 5 bytes JMP 000000016c91cd29
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey 00000000778f0b60 5 bytes JMP 000000016c91ccc2
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 00000000778f0f50 5 bytes JMP 000000016c91fcba
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f0f68 5 bytes JMP 000000016c91ff45
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx 00000000778f0ff8 5 bytes JMP 000000016c9201fd
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 00000000778f131c 5 bytes JMP 000000016c924b6b
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 00000000778f145c 5 bytes JMP 000000016c91fec9
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 00000000778f1508 5 bytes JMP 000000016c926389
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey 00000000778f16f8 1 byte JMP 000000016c91d138
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey + 2 00000000778f16fa 3 bytes {JMP 0xfffffffff502ba40}
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey 00000000778f1a38 5 bytes JMP 000000016c91facc
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject 00000000778f1b7c 5 bytes JMP 000000016c92616c
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007651103d 5 bytes JMP 000000016c8f93a9
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076511072 5 bytes JMP 000000016c8f94e7
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007653c9b5 5 bytes JMP 000000016c8f971d
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\syswow64\kernel32.dll!SetDllDirectoryW 00000000765900c3 5 bytes JMP 000000016c8f9efe
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\syswow64\kernel32.dll!SetDllDirectoryA 000000007659016b 5 bytes JMP 000000016c8fa231
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076592c91 5 bytes JMP 000000016c8f9aa0
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\syswow64\kernel32.dll!AllocConsole 00000000765b6b3e 5 bytes JMP 000000016c927431
.text C:\Windows\system32\SearchIndexer.exe[4480] C:\Windows\syswow64\kernel32.dll!AttachConsole 00000000765b6c02 5 bytes JMP 000000016c927443
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000778ef9c0 5 bytes JMP 000000016c925f49
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtQueryObject 00000000778ef9d8 5 bytes JMP 000000016c926411
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey 00000000778efa08 5 bytes JMP 000000016c92016d
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 00000000778efa20 5 bytes JMP 000000016c91fbca
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey 00000000778efa70 5 bytes JMP 000000016c91fa44
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 00000000778efa88 2 bytes JMP 000000016c91fb52
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey + 3 00000000778efa8b 2 bytes [03, F5]
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey 00000000778efb20 5 bytes JMP 000000016c920424
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 00000000778efc18 5 bytes JMP 000000016c924369
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey 00000000778efd2c 5 bytes JMP 000000016c91f9cc
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000778efd44 5 bytes JMP 000000016c924959
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 00000000778efd78 5 bytes JMP 000000016c9239de
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000778efe24 5 bytes JMP 000000016c925fc4
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 00000000778efe3c 5 bytes JMP 000000016c924adb
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000778f0094 5 bytes JMP 000000016c924791
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000778f01a4 5 bytes JMP 000000016c91fc42
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile 00000000778f09c4 5 bytes JMP 000000016c924584
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey 00000000778f09dc 5 bytes JMP 000000016c91cc5b
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 00000000778f0a24 5 bytes JMP 000000016c91cd29
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey 00000000778f0b60 5 bytes JMP 000000016c91ccc2
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 00000000778f0f50 5 bytes JMP 000000016c91fcba
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778f0f68 5 bytes JMP 000000016c91ff45
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx 00000000778f0ff8 5 bytes JMP 000000016c9201fd
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 00000000778f131c 5 bytes JMP 000000016c924b6b
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 00000000778f145c 5 bytes JMP 000000016c91fec9
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 00000000778f1508 5 bytes JMP 000000016c926389
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey 00000000778f16f8 1 byte JMP 000000016c91d138
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey + 2 00000000778f16fa 3 bytes {JMP 0xfffffffff502ba40}
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey 00000000778f1a38 5 bytes JMP 000000016c91facc
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject 00000000778f1b7c 5 bytes JMP 000000016c92616c
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007651103d 5 bytes JMP 000000016c8f93a9
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076511072 5 bytes JMP 000000016c8f94e7
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007653c9b5 5 bytes JMP 000000016c8f971d
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\kernel32.dll!SetDllDirectoryW 00000000765900c3 5 bytes JMP 000000016c8f9efe
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\kernel32.dll!SetDllDirectoryA 000000007659016b 5 bytes JMP 000000016c8fa231
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\kernel32.dll!WinExec 0000000076592c91 5 bytes JMP 000000016c8f9aa0
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\kernel32.dll!AllocConsole 00000000765b6b3e 5 bytes JMP 000000016c927431
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\kernel32.dll!AttachConsole 00000000765b6c02 5 bytes JMP 000000016c927443
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000769d2aa4 5 bytes JMP 000000016c8fa43c
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076628a29 5 bytes JMP 000000016c927419
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007662d22e 5 bytes JMP 000000016c927401
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\GDI32.dll!AddFontResourceW 0000000076a4d2b2 5 bytes JMP 000000016c907617
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\GDI32.dll!AddFontResourceA 0000000076a4d7bb 5 bytes JMP 000000016c9075fb
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ADVAPI32.dll!EnumDependentServicesW 0000000076451e3a 7 bytes JMP 000000016c90a3b9
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusExW 000000007645b466 7 bytes JMP 000000016c90b2da
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ADVAPI32.dll!GetServiceKeyNameW 00000000764778ff 7 bytes JMP 000000016c90aa60
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameW 00000000764779bb 7 bytes JMP 000000016c90ac11
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusExA 000000007647a3e2 7 bytes JMP 000000016c90b3a0
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076492538 5 bytes JMP 000000016c8f985f
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ADVAPI32.dll!GetServiceKeyNameA 00000000764b1b94 7 bytes JMP 000000016c90ab18
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ADVAPI32.dll!GetServiceDisplayNameA 00000000764b1c31 7 bytes JMP 000000016c90acc9
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusA 00000000764b2021 7 bytes JMP 000000016c90b21c
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ADVAPI32.dll!EnumDependentServicesA 00000000764b2104 7 bytes JMP 000000016c90a470
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ADVAPI32.dll!EnumServicesStatusW 00000000764b2221 5 bytes JMP 000000016c90b15e
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!ControlService 00000000769a4d5c 7 bytes JMP 000000016c90a1fe
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!CloseServiceHandle 00000000769a4dc3 7 bytes JMP 000000016c90a527
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!QueryServiceStatus 00000000769a4e4b 7 bytes JMP 000000016c90a28a
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!QueryServiceStatusEx 00000000769a4eaf 7 bytes JMP 000000016c90a31d
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!StartServiceW 00000000769a4f35 7 bytes JMP 000000016c90a079
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!StartServiceA 00000000769a508d 7 bytes JMP 000000016c90a10f
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!QueryServiceObjectSecurity 00000000769a50f4 7 bytes JMP 000000016c90b02c
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000769a5181 7 bytes JMP 000000016c90b0c8
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000769a5254 7 bytes JMP 000000016c90a728
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769a53d5 7 bytes JMP 000000016c90a643
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769a54c2 7 bytes JMP 000000016c90a9ca
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769a55e2 7 bytes JMP 000000016c90a934
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000769a567c 7 bytes JMP 000000016c909e5b
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000769a589f 7 bytes JMP 000000016c909d85
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000769a5a22 7 bytes JMP 000000016c90a5b5
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigA 00000000769a5a83 7 bytes JMP 000000016c90ae5b
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW 00000000769a5b29 7 bytes JMP 000000016c90adc2
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA 00000000769a5ca0 7 bytes JMP 000000016c909535
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!ControlServiceExW 00000000769a5d8c 7 bytes JMP 000000016c9094bc
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!OpenSCManagerW 00000000769a63ad 7 bytes JMP 000000016c909a83
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!OpenSCManagerA 00000000769a64f0 7 bytes JMP 000000016c909b0f
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfig2A 00000000769a6633 7 bytes JMP 000000016c90af90
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfig2W 00000000769a680c 7 bytes JMP 000000016c90aef4
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!OpenServiceW 00000000769a714b 7 bytes JMP 000000016c909bf8
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\SysWOW64\sechost.dll!OpenServiceA 00000000769a7245 7 bytes JMP 000000016c909c84
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!CoRegisterPSClsid 0000000075ebc56e 5 bytes JMP 000000016c9111c4
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!CoResumeClassObjects + 7 0000000075ebea09 7 bytes JMP 000000016c911795
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!OleRun 0000000075ec07de 5 bytes JMP 000000016c911650
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!CoRegisterClassObject 0000000075ec21e1 5 bytes JMP 000000016c9122c5
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!OleUninitialize 0000000075eceba1 6 bytes JMP 000000016c91156f
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!OleInitialize 0000000075ecefd7 5 bytes JMP 000000016c9114ff
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!CoGetPSClsid 0000000075ed26b9 5 bytes JMP 000000016c91133c
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!CoGetClassObject 0000000075ee54ad 5 bytes JMP 000000016c912853
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!CoInitializeEx 0000000075ef09ad 5 bytes JMP 000000016c9113af
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!CoUninitialize 0000000075ef86d3 5 bytes JMP 000000016c911431
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075ef9d0b 5 bytes JMP 000000016c913b21
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075ef9d4e 5 bytes JMP 000000016c911c5c
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!CoSuspendClassObjects + 7 0000000075f1bb09 7 bytes JMP 000000016c9116c0
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!CoRevokeClassObject 0000000075f3eacf 5 bytes JMP 000000016c910c21
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!CoGetInstanceFromFile 0000000075f7340b 5 bytes JMP 000000016c912d13
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\ole32.dll!OleRegEnumFormatEtc 0000000075fbcfd9 5 bytes JMP 000000016c9115da
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\oleaut32.dll!RegisterActiveObject 0000000076f0279e 5 bytes JMP 000000016c910eb4
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\oleaut32.dll!RevokeActiveObject 0000000076f03294 5 bytes JMP 000000016c910fd5
.text C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[4624] C:\Windows\syswow64\oleaut32.dll!GetActiveObject 0000000076f18f40 5 bytes JMP 000000016c911048
---- Threads - GMER 2.1 ----
Thread C:\Windows\SysWOW64\svchost.exe [2556:2564] 000000007efa0000
Thread C:\Windows\SysWOW64\svchost.exe [2556:2612] 000000007efab973
Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5144:5820] 000007fefc0a2a7c
Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5144:5828] 000007feebebd618
Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5144:6132] 000007fef58b5124
---- Processes - GMER 2.1 ----
Library Q:\140061.deu\Office14\ONENOTEM.EXE (*** suspicious ***) @ Q:\140061.deu\Office14\ONENOTEM.EXE [4480] 000000002dbb0000
Library Q:\140061.deu\Office14\1031\ONINTL.DLL (*** suspicious ***) @ Q:\140061.deu\Office14\ONENOTEM.EXE [4480] 000000006c310000
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{60B71048-8782-4B42-9AFA-6AEF02FB8559}\Connection@Name isatap.{710CFF55-3618-4361-89AE-DA85859F823D}
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9C7C0A07-6AD2-430F-BC0B-0C3905B4072D}\Connection@Name isatap.{2FED3E27-9FDE-4669-A696-58B52EB040B5}
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{60B71048-8782-4B42-9AFA-6AEF02FB8559}?\Device\{9C7C0A07-6AD2-430F-BC0B-0C3905B4072D}?\Device\{E47E8F74-26D7-4497-A379-1C565A3C99AD}?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{60B71048-8782-4B42-9AFA-6AEF02FB8559}"?"{9C7C0A07-6AD2-430F-BC0B-0C3905B4072D}"?"{E47E8F74-26D7-4497-A379-1C565A3C99AD}"?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{60B71048-8782-4B42-9AFA-6AEF02FB8559}?\Device\TCPIP6TUNNEL_{9C7C0A07-6AD2-430F-BC0B-0C3905B4072D}?\Device\TCPIP6TUNNEL_{E47E8F74-26D7-4497-A379-1C565A3C99AD}?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberCopyBytes 0xF8 0xA6 0x7A 0x83 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberElapsedTime 24474
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberIoTime 9274
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberInitTime 94
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberCopyTime 819
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberPagesWritten 194890
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberPagesProcessed 493213
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberDumpCount 13377
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberFileRuns 3
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberReadTime 12948
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberResumeAppTime 13439
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberCompressTime 14220
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0f8da955276
Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{60B71048-8782-4B42-9AFA-6AEF02FB8559}@InterfaceName isatap.{710CFF55-3618-4361-89AE-DA85859F823D}
Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{60B71048-8782-4B42-9AFA-6AEF02FB8559}@ReusableType 0
Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{9C7C0A07-6AD2-430F-BC0B-0C3905B4072D}@InterfaceName isatap.{2FED3E27-9FDE-4669-A696-58B52EB040B5}
Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{9C7C0A07-6AD2-430F-BC0B-0C3905B4072D}@ReusableType 0
Reg HKLM\SYSTEM\CurrentControlSet\services\SynTP\Parameters@DetectTimeMS 2061
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0f8da955276 (not active ControlSet)
---- EOF - GMER 2.1 ----
Den 1. Schritt habe ich auch befolgt, das Ergebnis ist schoneinmal hier: Code:
ATTFilter All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-1480892100-3287089332-176741844-1001\Software\Microsoft\Windows\CurrentVersion\Run\\kjbnutye deleted successfully.
C:\Users\xxxxx\Bpcrkpilfoq\fmkcfutye.exe moved successfully.
Registry value HKEY_USERS\S-1-5-21-1480892100-3287089332-176741844-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Opige deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1480892100-3287089332-176741844-1001\Software\Microsoft\Windows\CurrentVersion\Run\\userft deleted successfully.
ADS C:\ProgramData\Temp:5925E400 deleted successfully.
C:\Users\xxxxx\AppData\Roaming\Xoysba folder moved successfully.
C:\Users\xxxxx\AppData\Roaming\Qygyyc folder moved successfully.
C:\Users\xxxxx\AppData\Roaming\Cyqeb folder moved successfully.
========== FILES ==========
C:\ProgramData\FullRemove.exe moved successfully.
File\Folder C:\ProgramData\*.dll not found.
File\Folder C:\ProgramData\*.tmp not found.
C:\ProgramData\Temp\{B906C11A-D193-4143-9FA7-E2EE8A5A8F21} folder moved successfully.
C:\ProgramData\Temp\{5DB1DF0C-AABC-4362-8A6D-CEFDFB036E41} folder moved successfully.
C:\ProgramData\Temp\{2637C347-9DAD-11D6-9EA2-00055D0CA761} folder moved successfully.
C:\ProgramData\Temp\{14C4C3B6-F1F4-401F-8C86-03E8E19AAC8C} folder moved successfully.
C:\ProgramData\Temp\{01FB4998-33C4-4431-85ED-079E3EEFE75D} folder moved successfully.
C:\ProgramData\Temp folder moved successfully.
File\Folder C:\Users\xxxxx\*.tmp not found.
File\Folder C:\Users\xxxxx\AppData\*.dll not found.
File\Folder C:\Users\xxxxx\AppData\*.exe not found.
C:\Users\xxxxx\AppData\Local\Temp\vpnclient_setup.exe moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\tmp folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\muffin folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\host folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0 folder moved successfully.
C:\Users\xxxxx\AppData\LocalLow\Sun\Java\Deployment\cache folder moved successfully.
< ipconfig /flushdns /c >
Windows-IP-Konfiguration
Der DNS-Aufl”sungscache wurde geleert.
C:\Users\xxxxx\Desktop\cmd.bat deleted successfully.
C:\Users\xxxxx\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: xxxxx
->Temp folder emptied: 684242963 bytes
->Temporary Internet Files folder emptied: 81337643 bytes
->FireFox cache emptied: 67724129 bytes
->Flash cache emptied: 0 bytes
User: Public
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 468361099 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50434 bytes
RecycleBin emptied: 2711815259 bytes
Total Files Cleaned = 3.828,00 mb
OTL by OldTimer - Version 3.2.69.0 log created on 03152013_143833
Files\Folders moved on Reboot...
C:\Users\xxxxx\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\xxxxx\AppData\Local\Temp\MMDUtl.log moved successfully.
File move failed. C:\Windows\temp\dsiwmis.log scheduled to be moved on reboot.
File move failed. C:\Windows\temp\LMutilps.log scheduled to be moved on reboot.
PendingFileRenameOperations files...
Registry entries deleted on Reboot...
Die nächsten Schritte folgen. 2. Schritt: 1. Durchlauf Code:
ATTFilter Malwarebytes Anti-Rootkit BETA 1.01.0.1021
www.malwarebytes.org
Database version: v2013.03.15.05
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
xxxxx :: xxxxx-PC [administrator]
15.03.2013 15:20:00
mbar-log-2013-03-15 (15-20-00).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 29914
Time elapsed: 14 minute(s), 52 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|logonjqhlp (Trojan.Downloader) -> Data: "C:\Users\xxxxx\AppData\Roaming\logonjqhlp.exe" -autorun -> Delete on reboot.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
c:\Users\xxxxx\AppData\Roaming\logonjqhlp.exe (Trojan.Downloader) -> Delete on reboot.
(end)
2. Durchlauf Code:
ATTFilter Malwarebytes Anti-Rootkit BETA 1.01.0.1021
www.malwarebytes.org
Database version: v2013.03.15.06
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
xxxxx :: xxxxx-PC [administrator]
15.03.2013 15:42:05
mbar-log-2013-03-15 (15-42-05).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 29881
Time elapsed: 15 minute(s), 29 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
3. Schritt folgt. AdwCleaner Log<. Code:
ATTFilter # AdwCleaner v2.114 - Datei am 15/03/2013 um 15:50:31 erstellt
# Aktualisiert am 05/03/2013 von Xplode
# Betriebssystem : Windows 7 Home Premium Service Pack 1 (64 bits)
# Benutzer : xxxxx - xxxxx-PC
# Bootmodus : Normal
# Ausgeführt unter : C:\Users\xxxxx\Desktop\adwcleaner.exe
# Option [Löschen]
**** [Dienste] ****
***** [Dateien / Ordner] *****
Ordner Gelöscht : C:\Users\xxxxx\AppData\Roaming\pdfforge
***** [Registrierungsdatenbank] *****
***** [Internet Browser] *****
-\\ Internet Explorer v9.0.8112.16470
[OK] Die Registrierungsdatenbank ist sauber.
-\\ Mozilla Firefox v19.0.2 (de)
Datei : C:\Users\xxxxx\AppData\Roaming\Mozilla\Firefox\Profiles\fo02bgq9.default\prefs.js
C:\Users\xxxxx\AppData\Roaming\Mozilla\Firefox\Profiles\fo02bgq9.default\user.js ... Gelöscht !
[OK] Die Datei ist sauber.
*************************
AdwCleaner[S1].txt - [883 octets] - [15/03/2013 15:50:31]
########## EOF - C:\AdwCleaner[S1].txt - [942 octets] ##########
|
|
15.03.2013, 21:01
| #6 |
| /// Helfer-Team | Infizierung durch Matsnu Trojaner von Groupon Sehr gut!  Downloade dir bitte  aswMBR.exe und speichere die Datei auf deinem Desktop.
Wichtig: Drücke keinesfalls einen der Fix Buttons ohne Anweisung Hinweis: Sollte der Scan Button ausgeblendet sein, schließe das Tool und starte es erneut. Sollte der Scan abbrechen und das Programm abstürzen, dann teile mir das mit und wähle unter AV Scan die Einstellung (none). danach: ESET Online Scanner
danach: Downloade Dir bitte  SecurityCheck und:
__________________ --> Infizierung durch Matsnu Trojaner von Groupon |
|
15.03.2013, 23:33
| #7 |
| | Infizierung durch Matsnu Trojaner von Groupon aswmbr: Ich weiß nicht, ob das eine Rolle spielt, aber erst der 2. Durchlauf war erfolgreich. Beim 1. versuch hat Windows einen Bluescreen produziert. Nach einem Neustart funktionierte es aber dann problemlos. Code:
ATTFilter aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-03-15 23:13:33
-----------------------------
23:13:33.736 OS Version: Windows x64 6.1.7601 Service Pack 1
23:13:33.736 Number of processors: 4 586 0x2A07
23:13:33.736 ComputerName: xxxxx-PC UserName: xxxxx
23:13:38.135 Initialize success
23:13:58.914 AVAST engine defs: 13031500
23:14:04.390 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
23:14:04.390 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
23:14:04.405 Disk 0 MBR read successfully
23:14:04.421 Disk 0 MBR scan
23:14:04.437 Disk 0 Windows 7 default MBR code
23:14:04.452 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 15360 MB offset 2048
23:14:04.468 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 31459328
23:14:04.483 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 461478 MB offset 31664128
23:14:04.546 Disk 0 scanning C:\Windows\system32\drivers
23:14:25.356 Service scanning
23:15:06.041 Modules scanning
23:15:06.057 Disk 0 trace - called modules:
23:15:06.088 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
23:15:06.603 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80068ca060]
23:15:06.603 3 CLASSPNP.SYS[fffff880013bc43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0xfffffa8004b17050]
23:15:08.241 AVAST engine scan C:\Windows
23:15:12.624 AVAST engine scan C:\Windows\system32
23:21:59.598 AVAST engine scan C:\Windows\system32\drivers
23:22:20.986 AVAST engine scan C:\Users\xxxxx
23:26:56.810 AVAST engine scan C:\ProgramData
23:28:30.753 Scan finished successfully
23:29:04.137 Disk 0 MBR has been saved successfully to "C:\Users\xxxxx\Desktop\MBR.dat"
23:29:04.153 The log file has been saved successfully to "C:\Users\xxxxx\Desktop\aswMBR.txt"
Code:
ATTFilter ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=0d84bf9c495ae145aafc9877d1aeae29
# engine=13399
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-03-16 12:36:35
# local_time=2013-03-16 01:36:35 (+0100, Mitteleuropäische Zeit)
# country="Germany"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1799 16775165 100 99 13011 228817485 5790 0
# compatibility_mode=5893 16776573 100 94 55102 115024045 0 0
# scanned=128851
# found=1
# cleaned=0
# scan_time=7108
sh=F6ECE91AECE294B20C6569476DDCBB731D674394 ft=1 fh=cc6ab26dd412f068 vn="Win32/Trustezeb.C trojan" ac=I fn="C:\_OTL\MovedFiles\03152013_143833\C_Users\xxxxx\Bpcrkpilfoq\fmkcfutye.exe"
Code:
ATTFilter Results of screen317's Security Check version 0.99.59 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 9 ``````````````Antivirus/Firewall Check:`````````````` Avira Desktop Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware Version 1.70.0.1100 JavaFX 2.1.0 Java(TM) 6 Update 29 Java 7 Update 17 Java version out of Date! Adobe Flash Player 11.6.602.180 Adobe Reader XI Mozilla Firefox (19.0.2) Mozilla Thunderbird (17.0.4) ````````Process Check: objlist.exe by Laurent```````` Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe Avira Antivir avgnt.exe Avira Antivir avguard.exe Malwarebytes' Anti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: ````````````````````End of Log`````````````````````` |
|
16.03.2013, 09:21
| #8 |
| /// Helfer-Team | Infizierung durch Matsnu Trojaner von Groupon Java(TM) 6 Update 29 unbedingt deinstallieren! Java deaktivieren Aufgrund derezeitigen Sicherheitsluecke: http://www.trojaner-board.de/122961-...ktivieren.html Danach poste mir (kopieren und einfuegen), was du hier angezeigt bekommst: PluginCheck |
|
16.03.2013, 10:36
| #9 |
| | Infizierung durch Matsnu Trojaner von Groupon PluginCheck Der PluginCheck hilft die größten Sicherheitslücken beim Surfen im Internet zu schliessen. Überprüft wird: Browser, Flash, Java und Adobe Reader Version. Firefox 19.0 ist aktuell Flash (11,6,602,180) ist aktuell. Java ist nicht Installiert oder nicht aktiviert. Adobe Reader 11,0,1,36 ist aktuell. |
|
17.03.2013, 10:17
| #10 |
| /// Helfer-Team | Infizierung durch Matsnu Trojaner von Groupon Sehr gut! damit bist Du sauber und entlassen!  adwCleaner entfernen
Tool-Bereinigung mit OTL Wir werden nun die CleanUp!-Funktion von OTL nutzen, um die meisten Programme, die wir zur Bereinigung installiert haben, wieder von Deinem System zu löschen.
Zurücksetzen der Sicherheitszonen Lasse die Sicherheitszonen wieder zurücksetzen, da diese manipuliert wurden um den Browser für weitere Angriffe zu öffnen. Gehe dabei so vor: http://www.trojaner-board.de/111805-...ecksetzen.html Systemwiederherstellungen leeren Damit der Rechner nicht mit einer infizierten Systemwiederherstellung erneut infiziert werden kann, muessen wir diese leeren. Dazu schalten wir sie einmal aus und dann wieder ein: Systemwiederherstellung deaktivieren Tutorial fuer Windows XP, Windows Vista, Windows 7 Danach wieder aktivieren. Lektuere zum abarbeiten: http://www.trojaner-board.de/90880-d...tallation.html http://www.trojaner-board.de/105213-...tellungen.html PluginCheck http://www.trojaner-board.de/96344-a...-rechners.html Secunia Online Software Inspector http://www.trojaner-board.de/71715-k...iendungen.html http://www.trojaner-board.de/83238-a...sschalten.html http://www.trojaner-board.de/109844-...ren-seite.html PC wird immer langsamer - was tun? |
|
17.03.2013, 13:00
| #11 |
| | Infizierung durch Matsnu Trojaner von Groupon Dann habe ich jetzt allen Grund mich zu bedanken, auch im Namen meiner Freundin. Ich finde es immer wieder bewundernswert, mit wieviel Mühe sich hier um die Probleme der User gekümmert wird, ohne gleich zu einer kompletten Formatierung zu raten. Vielen, vielen Dank und noch einen schönen Sonntag Carsten |
|
17.03.2013, 13:05
| #12 |
| /// Helfer-Team | Infizierung durch Matsnu Trojaner von Grouponwir wuenschen eine virenfreie Zeit |
|
| Themen zu Infizierung durch Matsnu Trojaner von Groupon |
| anderen, auswirkungen, avira, dateien, direkt, formatierung, forum, freundin, gen, heute, liefert, löschen, matsnu.eb.130, meldungen, ordner, quarantäne, screenshot, sicherheit, system, trojaner, verschieben, warnmeldungen, win32/trustezeb.c, windows, zipdatei, zipdatei geöffnet |
Linear-Darstellung
