Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung

Plagegeister aller Art und deren Bekämpfung: Telekom Brief Zeus/Zbot

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 11.04.2013, 23:54   #1
Malibouman
 
Telekom Brief Zeus/Zbot - Standard

Telekom Brief Zeus/Zbot



Hallo
Also Ich habe von der Telekom einen Brief bekommen das sich auf einem unserer Rechner ein Onlinebanking Trojaner namens ZeusBot/Zbot befindet.

Ich hab sofort einen Virenscan gemacht bei meiner Frau und mir und bei Ihr wurden auch Trojaner gefunden, einer stand schon seit 1 Woche von MSE unter Quarantäne, was sie mir bis jetzt verschwiegen hatte. Komisch dachte ich mir nur, dachte immer die Quarantäne ist sicher?

Leider habe ich Ihn sofort gelöscht und auch gleich den Browserverlauf gelöscht weil Sie meinte das MSE beim surfen eine Warnung gegeben hat. Habe dann die Telekom anweisungen befolgt und Malewarebytes durchlaufen lassen, das hat dann nichts mehr gefunden.

Doch durch die Beiträge hier bin ich ins nachdenken gekommen, das es wohl nicht so einfach ist diesen Schädling los zuwerden.

Ich habe sofort auf der Arbeit an einem neutralen Rechner all unsere Passwörter geändert, die sind teilweise sogar im Firefox gespeichert gewesen.

Da ich nicht sicher bin ob der Trojaner sich auch auf meinem Rechner ausgebreitet hat(weis nicht ob ich MSE da vertrauen kann) habe ich eure Anleitung befolgt, also fangen ich am besten mit dem "Nicht" infizierten Rechner an.

defogger.txt
Code:
ATTFilter
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 21:38 on 11/04/2013 (Admin)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-
         
OTL.txt
Code:
ATTFilter
OTL logfile created on: 11.04.2013 21:44:05 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Benni\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
4,00 Gb Total Physical Memory | 1,60 Gb Available Physical Memory | 40,02% Memory free
8,22 Gb Paging File | 5,63 Gb Available in Paging File | 68,52% Paging File free
Paging file location(s): c:\pagefile.sys 0 0 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 107,89 Gb Total Space | 24,61 Gb Free Space | 22,81% Space Free | Partition Type: NTFS
Drive D: | 488,28 Gb Total Space | 194,07 Gb Free Space | 39,75% Space Free | Partition Type: NTFS
 
Computer Name: DESKTOP01 | User Name: Admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\Benni\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Windows\SysWOW64\conime.exe (Microsoft Corporation)
PRC - C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE ()
 
 
========== Modules (No Company Name) ==========
 
 
========== Services (SafeList) ==========
 
SRV:64bit: - (AMD FUEL Service) -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe (Advanced Micro Devices, Inc.)
SRV:64bit: - (AMD External Events Utility) -- C:\Windows\SysNative\atiesrxx.exe (AMD)
SRV:64bit: - (WSS_ComputerBackupProviderSvc) -- C:\Program Files\Windows Server\Bin\SharedServiceHost.exe (Microsoft Corporation)
SRV:64bit: - (SqmProviderSvc) -- C:\Program Files\Windows Server\Bin\SharedServiceHost.exe (Microsoft Corporation)
SRV:64bit: - (providers_system) -- C:\Program Files\Windows Server\Bin\SharedServiceHost.exe (Microsoft Corporation)
SRV:64bit: - (NotificationsProviderSvc) -- C:\Program Files\Windows Server\Bin\SharedServiceHost.exe (Microsoft Corporation)
SRV:64bit: - (initMonitor) -- C:\Program Files\Windows Server\Bin\SharedServiceHost.exe (Microsoft Corporation)
SRV:64bit: - (HealthAlertsSvc) -- C:\Program Files\Windows Server\Bin\SharedServiceHost.exe (Microsoft Corporation)
SRV - (Steam Client Service) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MozillaMaintenance) -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (NisSrv) -- C:\Programme\Microsoft Security Client\NisSrv.exe (Microsoft Corporation)
SRV - (MsMpSvc) -- C:\Programme\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV - (WhsMcClient) -- C:\Programme\Windows Server\Bin\WhsMcClient.exe (Microsoft Corporation)
SRV - (arXfrSvc) -- C:\Programme\Windows Server\Bin\Microsoft.HomeServer.Archive.TransferService.exe (Microsoft Corporation)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (SkypeUpdate) -- C:\Program Files (x86)\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (ServiceProviderRegistry) -- C:\Programme\Windows Server\Bin\ProviderRegistryService.exe (Microsoft Corporation)
SRV - (LoClntService) -- C:\Programme\Windows Server\Bin\LightsOutClientService.exe (AxoNet Software GmbH)
SRV - (LANConfig) -- C:\Programme\Windows Server\Bin\LANConfigSvc.exe (Microsoft Corporation)
SRV - (WSConnectorUpdate) -- C:\Programme\Windows Server\Bin\WSConnectorUpdate.exe (Microsoft Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (wlidsvc) -- C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (ES lite Service) -- C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE ()
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - (SANDRA) -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2013.SP1a\WNt500x64\Sandra.sys File not found
DRV:64bit: - (NisDrv) -- C:\Windows\SysNative\DRIVERS\NisDrvWFP.sys (Microsoft Corporation)
DRV:64bit: - (atikmdag) -- C:\Windows\SysNative\DRIVERS\atikmdag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (amdkmdag) -- C:\Windows\SysNative\DRIVERS\atikmdag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (amdkmdap) -- C:\Windows\SysNative\DRIVERS\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (AnyDVD) -- C:\Windows\SysNative\Drivers\AnyDVD.sys (SlySoft, Inc.)
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (BackupReader) -- C:\Windows\SysNative\DRIVERS\BackupReader.sys (Microsoft Corporation)
DRV:64bit: - (ElbyCDIO) -- C:\Windows\SysNative\Drivers\ElbyCDIO.sys (Elaborate Bytes AG)
DRV:64bit: - (USBAAPL64) -- C:\Windows\SysNative\Drivers\usbaapl64.sys (Apple, Inc.)
DRV:64bit: - (amdiox64) -- C:\Windows\SysNative\DRIVERS\amdiox64.sys (Advanced Micro Devices)
DRV:64bit: - (atksgt) -- C:\Windows\SysNative\DRIVERS\atksgt.sys ()
DRV:64bit: - (lirsgt) -- C:\Windows\SysNative\DRIVERS\lirsgt.sys ()
DRV:64bit: - (WpdUsb) -- C:\Windows\SysNative\DRIVERS\wpdusb.sys (Microsoft Corporation)
DRV:64bit: - (GEARAspiWDM) -- C:\Windows\SysNative\DRIVERS\GEARAspiWDM.sys (GEAR Software Inc.)
DRV:64bit: - (VClone) -- C:\Windows\SysNative\DRIVERS\VClone.sys (Elaborate Bytes AG)
DRV:64bit: - (RTHDMIAzAudService) -- C:\Windows\SysNative\drivers\RtHDMIVX.sys (Realtek Semiconductor Corp.)
DRV:64bit: - (RTL8169) -- C:\Windows\SysNative\DRIVERS\Rtlh64.sys (Realtek Corporation                                            )
DRV:64bit: - (MRV6X64P) -- C:\Windows\SysNative\DRIVERS\MRVW13C.sys (Marvell Semiconductor, Inc)
DRV - (gdrv) -- C:\Windows\gdrv.sys (Windows (R) Server 2003 DDK provider)
DRV - (GVTDrv64) -- C:\Windows\GVTDrv64.sys ()
DRV - (AODDriver4.2) -- C:\Programme\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys (Advanced Micro Devices)
DRV - (AnyDVD) -- C:\Windows\SysWOW64\drivers\AnyDVD.sys (SlySoft, Inc.)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-2191219830-1142027811-3873258821-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
IE - HKU\S-1-5-21-2191219830-1142027811-3873258821-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2191219830-1142027811-3873258821-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-2191219830-1142027811-3873258821-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2191219830-1142027811-3873258821-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 216.165.109.81:3127
 
IE - HKU\S-1-5-21-2191219830-1142027811-3873258821-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
========== FireFox ==========
 
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_6_602_180.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.0: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@comrade.gamespy.com/comrade: C:\Program Files (x86)\GameSpy\Comrade\npcomrade.dll (IGN Entertainment)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.17.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 19.0.2\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013.03.08 22:18:51 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 19.0.2\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2013.03.08 22:18:44 | 000,000,000 | ---D | M]
 
[2013.03.13 00:54:27 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions
[2013.03.08 22:18:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}
[2013.03.08 22:18:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
[2013.03.08 22:18:40 | 000,000,000 | ---D | M] (Anti-Banner) -- C:\Program Files (x86)\mozilla firefox\extensions\KavAntiBanner@kaspersky.ru_bak2
[2013.03.08 22:18:40 | 000,000,000 | ---D | M] (Modul zur Link-Untersuchung) -- C:\Program Files (x86)\mozilla firefox\extensions\linkfilter@kaspersky.ru_bak2
[2013.03.08 22:18:50 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012.11.08 20:54:23 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.11.08 20:54:23 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012.11.08 20:54:23 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml
[2012.11.08 20:54:23 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.11.08 20:54:23 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.11.08 20:54:23 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml
 
========== Chrome  ==========
 
CHR - homepage: hxxp://www.google.com
CHR - Extension: Docs = C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.0.0.6_0\
 
O1 HOSTS File: ([2006.09.18 23:37:24 | 000,000,761 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O2:64bit: - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2:64bit: - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O4:64bit: - HKLM..\Run: [Launchpad] C:\Program Files\Windows Server\Bin\Launchpad.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Windows\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [ATICustomerCare] C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-2191219830-1142027811-3873258821-1007..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-2191219830-1142027811-3873258821-1000..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_180_Plugin.exe (Adobe Systems Incorporated)
O4 - HKU\S-1-5-21-2191219830-1142027811-3873258821-1007..\RunOnce: [Microsoft Security Client] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 28
O9 - Extra 'Tools' menuitem : Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre7\bin\jp2iexp.dll ()
O9 - Extra Button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {2665693B-C4F3-434B-83DB-7574CF50C8B7} hxxp://www.kaspersky.com/downloads/misc/kasperskylicensefinder.cab (Kaspersky License Finder)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Java Plug-in 10.17.2)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{234915B0-5B9F-4921-8B23-056E23925AA9}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{62EEEE39-4A8B-45CF-BA09-2587A6EA5E04}: DhcpNameServer = 192.168.2.1
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\oledb - No CLSID value found
O18:64bit: - Protocol\Handler\mso-offdap11 - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~2\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
O18:64bit: - Protocol\Filter\text/xml - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011.08.14 16:13:07 | 000,000,000 | ---D | M] - D:\Autoruns -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk /r \??\K:)
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013.04.07 13:12:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
[2013.04.07 13:11:59 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2013.04.07 13:11:24 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Local\Google
[2013.04.07 13:11:21 | 000,345,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\netio.sys
[2013.04.07 13:07:22 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Local\Microsoft_Corporation
[2013.04.07 13:04:48 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Local\AMD
[2013.04.07 13:04:41 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Roaming\ATI
[2013.04.07 13:04:41 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Local\ATI
[2013.04.07 13:04:05 | 000,000,000 | R--D | C] -- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2013.04.07 13:04:04 | 000,000,000 | R--D | C] -- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
[2013.04.07 13:04:04 | 000,000,000 | R--D | C] -- C:\Users\Admin\Searches
[2013.04.07 13:03:22 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Roaming\Identities
[2013.04.07 13:03:20 | 000,000,000 | R--D | C] -- C:\Users\Admin\Contacts
[2013.04.07 13:03:19 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Local\VirtualStore
[2013.04.07 13:03:12 | 000,000,000 | -HSD | C] -- C:\Users\Admin\Vorlagen
[2013.04.07 13:03:12 | 000,000,000 | -HSD | C] -- C:\Users\Admin\AppData\Local\Verlauf
[2013.04.07 13:03:12 | 000,000,000 | -HSD | C] -- C:\Users\Admin\AppData\Local\Temporary Internet Files
[2013.04.07 13:03:12 | 000,000,000 | -HSD | C] -- C:\Users\Admin\Startmenü
[2013.04.07 13:03:12 | 000,000,000 | -HSD | C] -- C:\Users\Admin\SendTo
[2013.04.07 13:03:12 | 000,000,000 | -HSD | C] -- C:\Users\Admin\Recent
[2013.04.07 13:03:12 | 000,000,000 | -HSD | C] -- C:\Users\Admin\Netzwerkumgebung
[2013.04.07 13:03:12 | 000,000,000 | -HSD | C] -- C:\Users\Admin\Lokale Einstellungen
[2013.04.07 13:03:12 | 000,000,000 | -HSD | C] -- C:\Users\Admin\Documents\Eigene Videos
[2013.04.07 13:03:12 | 000,000,000 | -HSD | C] -- C:\Users\Admin\Documents\Eigene Musik
[2013.04.07 13:03:12 | 000,000,000 | -HSD | C] -- C:\Users\Admin\Eigene Dateien
[2013.04.07 13:03:12 | 000,000,000 | -HSD | C] -- C:\Users\Admin\Documents\Eigene Bilder
[2013.04.07 13:03:12 | 000,000,000 | -HSD | C] -- C:\Users\Admin\Druckumgebung
[2013.04.07 13:03:12 | 000,000,000 | -HSD | C] -- C:\Users\Admin\Cookies
[2013.04.07 13:03:12 | 000,000,000 | -HSD | C] -- C:\Users\Admin\AppData\Local\Anwendungsdaten
[2013.04.07 13:03:12 | 000,000,000 | -HSD | C] -- C:\Users\Admin\Anwendungsdaten
[2013.04.07 13:03:11 | 000,000,000 | --SD | C] -- C:\Users\Admin\AppData\Roaming\Microsoft
[2013.04.07 13:03:11 | 000,000,000 | R--D | C] -- C:\Users\Admin\Videos
[2013.04.07 13:03:11 | 000,000,000 | R--D | C] -- C:\Users\Admin\Saved Games
[2013.04.07 13:03:11 | 000,000,000 | R--D | C] -- C:\Users\Admin\Pictures
[2013.04.07 13:03:11 | 000,000,000 | R--D | C] -- C:\Users\Admin\Music
[2013.04.07 13:03:11 | 000,000,000 | R--D | C] -- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
[2013.04.07 13:03:11 | 000,000,000 | R--D | C] -- C:\Users\Admin\Links
[2013.04.07 13:03:11 | 000,000,000 | R--D | C] -- C:\Users\Admin\Favorites
[2013.04.07 13:03:11 | 000,000,000 | R--D | C] -- C:\Users\Admin\Downloads
[2013.04.07 13:03:11 | 000,000,000 | R--D | C] -- C:\Users\Admin\Documents
[2013.04.07 13:03:11 | 000,000,000 | R--D | C] -- C:\Users\Admin\Desktop
[2013.04.07 13:03:11 | 000,000,000 | R--D | C] -- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
[2013.04.07 13:03:11 | 000,000,000 | -H-D | C] -- C:\Users\Admin\AppData
[2013.04.07 13:03:11 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Local\Temp
[2013.04.07 13:03:11 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Local\Microsoft
[2013.04.07 13:03:11 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Roaming\Media Center Programs
[2013.04.07 13:03:11 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Roaming\Macromedia
[2013.04.07 13:03:11 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Roaming\Apple Computer
[2013.04.07 13:03:11 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Local\Apple Computer
[2013.03.24 14:26:19 | 000,019,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\usb8023.sys
[2013.03.14 07:54:11 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2013.03.14 07:54:11 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2013.03.14 07:54:10 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2013.03.14 07:54:10 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2013.03.14 07:54:10 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2013.03.14 07:54:10 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2013.03.14 07:54:10 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2013.03.14 07:54:10 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2013.03.14 07:54:09 | 002,312,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2013.03.14 07:54:09 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2013.03.14 07:54:09 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2013.03.14 07:54:09 | 000,729,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2013.03.14 07:54:08 | 000,816,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2013.03.14 07:54:08 | 000,717,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2013.03.14 07:54:08 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2013.03.13 00:56:28 | 000,262,560 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaws.exe
[2013.03.13 00:55:35 | 000,174,496 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe
[2013.03.13 00:55:35 | 000,174,496 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe
[2013.03.13 00:55:35 | 000,095,648 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013.04.11 21:37:58 | 000,000,000 | ---- | M] () -- C:\Users\Admin\defogger_reenable
[2013.04.11 21:31:00 | 000,001,108 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013.04.11 21:26:59 | 000,003,712 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013.04.11 21:26:59 | 000,003,712 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013.04.11 21:07:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013.04.11 19:31:35 | 000,001,104 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013.04.11 18:12:43 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013.04.07 13:28:52 | 001,562,098 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013.04.07 13:28:52 | 000,671,960 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
[2013.04.07 13:28:52 | 000,632,668 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013.04.07 13:28:52 | 000,145,022 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
[2013.04.07 13:28:52 | 000,119,190 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013.04.07 13:21:08 | 000,024,104 | ---- | M] (Windows (R) Server 2003 DDK provider) -- C:\Windows\gdrv.sys
[2013.04.07 13:20:01 | 4293,386,240 | -HS- | M] () -- C:\hiberfil.sys
[2013.04.07 13:12:42 | 000,002,154 | ---- | M] () -- C:\Windows\epplauncher.mif
[2013.03.13 00:55:21 | 000,095,648 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
[2013.03.13 00:55:20 | 000,861,088 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\npdeployJava1.dll
[2013.03.13 00:55:20 | 000,782,240 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\deployJava1.dll
[2013.03.13 00:55:20 | 000,262,560 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\javaws.exe
[2013.03.13 00:55:20 | 000,174,496 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe
[2013.03.13 00:55:20 | 000,174,496 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013.04.11 21:37:58 | 000,000,000 | ---- | C] () -- C:\Users\Admin\defogger_reenable
[2013.04.07 13:12:33 | 000,001,826 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2013.04.07 13:04:22 | 000,000,949 | ---- | C] () -- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
[2013.04.07 13:04:11 | 000,000,979 | ---- | C] () -- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2013.04.07 13:03:47 | 000,000,974 | ---- | C] () -- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
[2013.04.07 13:03:19 | 000,000,915 | ---- | C] () -- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Mail.lnk
[2013.04.07 13:00:52 | 000,002,154 | ---- | C] () -- C:\Windows\epplauncher.mif
[2011.09.28 18:44:14 | 000,179,271 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2011.09.13 00:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2011.08.08 01:25:16 | 000,066,872 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2011.08.08 01:08:06 | 001,541,168 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2009.08.15 00:09:20 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2009.06.27 23:36:34 | 000,000,125 | -HS- | C] () -- C:\ProgramData\.zreglib
 
========== ZeroAccess Check ==========
 
[2006.11.02 17:30:40 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012.06.08 19:59:03 | 012,899,840 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012.06.08 19:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.04.11 09:11:14 | 000,891,392 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009.04.11 08:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2008.01.21 04:50:58 | 000,513,024 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
 
========== LOP Check ==========
 
[2012.10.13 17:34:52 | 000,000,000 | ---D | M] -- C:\Users\Benni\AppData\Roaming\.minecraft
[2009.10.26 13:16:51 | 000,000,000 | ---D | M] -- C:\Users\Benni\AppData\Roaming\Games
[2011.02.17 21:09:03 | 000,000,000 | ---D | M] -- C:\Users\Benni\AppData\Roaming\Haufe
[2010.11.29 19:30:37 | 000,000,000 | ---D | M] -- C:\Users\Benni\AppData\Roaming\ICQ
[2012.01.08 10:46:00 | 000,000,000 | ---D | M] -- C:\Users\Benni\AppData\Roaming\Kalypso Media
[2012.02.19 01:53:38 | 000,000,000 | ---D | M] -- C:\Users\Benni\AppData\Roaming\LucasArts
[2012.08.15 21:07:05 | 000,000,000 | ---D | M] -- C:\Users\Benni\AppData\Roaming\Minecraft BACKUP
[2012.08.17 19:45:42 | 000,000,000 | ---D | M] -- C:\Users\Benni\AppData\Roaming\Neuer Ordner
[2013.04.11 18:18:02 | 000,000,000 | ---D | M] -- C:\Users\Benni\AppData\Roaming\QuickScan
[2009.09.07 20:47:02 | 000,000,000 | ---D | M] -- C:\Users\Benni\AppData\Roaming\ScummVM
[2009.03.29 19:11:32 | 000,000,000 | ---D | M] -- C:\Users\Benni\AppData\Roaming\Sierra
[2011.09.02 19:55:55 | 000,000,000 | ---D | M] -- C:\Users\Benni\AppData\Roaming\TS3Client
[2009.03.27 14:54:23 | 000,000,000 | ---D | M] -- C:\Users\Benni\AppData\Roaming\Ubisoft
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 72 bytes -> C:\Windows:56685A3E318780BD

< End of report >
         
Extras.txt
Code:
ATTFilter
OTL Extras logfile created on: 11.04.2013 21:44:05 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Benni\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
4,00 Gb Total Physical Memory | 1,60 Gb Available Physical Memory | 40,02% Memory free
8,22 Gb Paging File | 5,63 Gb Available in Paging File | 68,52% Paging File free
Paging file location(s): c:\pagefile.sys 0 0 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 107,89 Gb Total Space | 24,61 Gb Free Space | 22,81% Space Free | Partition Type: NTFS
Drive D: | 488,28 Gb Total Space | 194,07 Gb Free Space | 39,75% Space Free | Partition Type: NTFS
 
Computer Name: DESKTOP01 | User Name: Admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = ChromeHTML] -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
 
[HKEY_USERS\S-1-5-21-2191219830-1142027811-3873258821-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
http [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [CEWE FOTOSCHAU] -- "C:\Program Files (x86)\CEWE COLOR\Mein CEWE FOTOBUCH\CEWE FOTOSCHAU.exe" -d "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Mein CEWE FOTOBUCH] -- "C:\Program Files (x86)\CEWE COLOR\Mein CEWE FOTOBUCH\Mein CEWE FOTOBUCH.exe" "%1" ()
Directory [Winamp.Bookmark] -- "C:\Program Files (x86)\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files (x86)\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files (x86)\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
http [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [CEWE FOTOSCHAU] -- "C:\Program Files (x86)\CEWE COLOR\Mein CEWE FOTOBUCH\CEWE FOTOSCHAU.exe" -d "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Mein CEWE FOTOBUCH] -- "C:\Program Files (x86)\CEWE COLOR\Mein CEWE FOTOBUCH\Mein CEWE FOTOBUCH.exe" "%1" ()
Directory [Winamp.Bookmark] -- "C:\Program Files (x86)\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files (x86)\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files (x86)\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = 9F 9E 16 8C DC 5B C8 01  [binary data]
"VistaSp2" = 86 05 37 0E EA F7 C9 01  [binary data]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"oobe_av" = 1
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{2135BF1F-AAE9-430C-82FE-14161D9C5CC9}" = rport=445 | protocol=6 | dir=out | app=system | 
"{21B79C5B-5F0A-4F23-9A62-47882622F9FF}" = lport=808 | protocol=6 | dir=in | svc=nettcpactivator | app=c:\windows\microsoft.net\framework64\v4.0.30319\smsvchost.exe | 
"{29709B9B-5D8A-4703-8F69-2155874F9DAD}" = rport=138 | protocol=17 | dir=out | app=system | 
"{4E99D540-4395-4555-9882-6B250DDD4E1C}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | 
"{80295008-4610-4204-A261-00AD6C2642B1}" = lport=137 | protocol=17 | dir=in | app=system | 
"{8C5C4B87-4A10-49C9-AFA1-6C4DB6B51437}" = lport=138 | protocol=17 | dir=in | app=system | 
"{9AD5D433-2A89-4F16-B484-AA8A86639512}" = rport=139 | protocol=6 | dir=out | app=system | 
"{A81FC5CD-314D-4485-98F3-83C6199A64F2}" = lport=445 | protocol=6 | dir=in | app=system | 
"{CE1910A5-0D41-41C9-9707-31201AD5BD38}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | 
"{D0EC918F-4A2B-42BA-9B92-10BD56179F6B}" = lport=139 | protocol=6 | dir=in | app=system | 
"{DC53F477-C181-4098-8654-C631EB15C45E}" = rport=137 | protocol=17 | dir=out | app=system | 
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0138556A-CB2B-41AF-AE96-7B592BDDF8FD}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\hitman 2 silent assassin\hitman2.exe | 
"{026F1DC4-5973-4A04-938D-E62E1DA4D9F7}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steam.exe | 
"{07636DDF-6320-4120-AFF8-3E37D8510A07}" = protocol=6 | dir=in | app=d:\spiele\two worlds\twoworlds_radeon.exe | 
"{0878110D-3849-4FCD-9B03-C54C31FD4209}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\hitman codename 47\setup.exe | 
"{12BA12A8-2CC1-4CE9-B281-78E309EB969A}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\metro 2033\metro2033.exe | 
"{15A981E2-AF57-47D2-A459-497A0CA1BFBC}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{174A9F04-4C6A-476B-B252-7F2AB43925BE}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\hitman blood money\hitmanbloodmoney.exe | 
"{1A158A6D-0B72-4780-B9C1-53331AE067D8}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\back to the future 103\backtothefuture103.exe | 
"{1AE588A1-89C0-4F4C-850B-C2E48A15EAC9}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\hitman blood money\hitmanbloodmoney.exe | 
"{1C3C1F1B-1264-41AA-9192-1DAF682986F5}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{23E2F833-6B00-4BCF-BCE5-F6829431595F}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\back to the future 103\backtothefuture103.exe | 
"{242C4357-31EF-41F4-BFBB-270057BDB58C}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\back to the future 105\backtothefuture105.exe | 
"{24DB0F8C-06B7-47A2-9493-2382D145A019}" = protocol=17 | dir=in | app=d:\spiele\two worlds\twoworlds_radeon.exe | 
"{286D3B50-F806-455B-9E07-5DFBE11FFD9A}" = protocol=17 | dir=in | app=d:\spiele\swat 4\contentexpansion\system\swat4x.exe | 
"{28FED0D1-05D8-4028-9938-07DE82DA86CB}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\homefront\binaries\homefront.exe | 
"{2AC05FF9-32D8-4D44-93CE-540F6E1CC21F}" = protocol=17 | dir=in | app=d:\spiele\two worlds\twoworlds.exe | 
"{2BA116E6-6D45-4CE0-8082-B179C9B21688}" = protocol=17 | dir=in | app=d:\spiele\stronghold 2\stronghold2.exe | 
"{2BB6ABF9-5D3C-466D-8572-5FDE6365394F}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\back to the future ep 1\backtothefuture101.exe | 
"{2DDAFCD1-65E4-4A7A-B20E-D232C24FFFB7}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\hitman codename 47\hitman.exe | 
"{31B6A997-F096-408A-98DD-FC5D29F1AB7D}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\company of heroes\reliccoh.exe | 
"{3335AC30-8304-47E9-9783-CD58FDCBA816}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\sniper ghost warrior\sniper_x86.exe | 
"{33CF3051-2335-4569-A941-630DD52D7AD3}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\duke nukem forever\system\dukeforever.exe | 
"{34328371-429D-4DAA-B5E0-F81994223E5E}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\hitman blood money\configure.exe | 
"{352495A0-E2AE-4A07-B0D2-8F987F231834}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\tom clancy's splinter cell conviction\src\system\conviction_game.exe | 
"{390D64D3-1490-4163-BB23-3B0B5085EF9F}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\airline tycoon 2\airlinetycoon2.exe | 
"{3B29C198-908F-444F-B78A-7FF73D481A93}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\back to the future ep 1\backtothefuture101.exe | 
"{45762E1E-AA83-49BC-ADC3-DD7728C9BC2B}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\left 4 dead 2\left4dead2.exe | 
"{4588C29D-4F19-4BC2-B8C6-2EAA637B4E12}" = protocol=6 | dir=in | app=d:\spiele\stronghold 2\stronghold2.exe | 
"{4755FC77-0C1A-4E0E-8723-F1B3A0E7503E}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\portal 2\portal2.exe | 
"{488F56A0-F68F-47B8-A0CC-639759D89968}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\metro 2033\metro2033.exe | 
"{4CDDA2F8-98C6-4D10-AE72-D9C8EBD7FB28}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\magic the gathering dotp 2012\magic_2012.exe | 
"{5140C728-D0D4-426E-B9D8-ACBE53C29D81}" = protocol=6 | dir=in | app=d:\spiele\swat 4\contentexpansion\system\swat4xdedicatedserver.exe | 
"{533D9CC9-DE8F-4EE6-B3EA-CDF43002B784}" = protocol=6 | dir=in | app=d:\spiele\assassin's creed\assassinscreed_dx10.exe | 
"{540E0B1B-C9F5-420A-AAFD-C3C38A525476}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\airline tycoon 2\airlinetycoon2.exe | 
"{5711883E-555E-4746-A32C-B4FDF7D94EE2}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\back to the future 104\backtothefuture104.exe | 
"{59A891F9-6B7E-4556-B8FB-932CBF6F4305}" = protocol=17 | dir=in | app=d:\spiele\assassin's creed\assassinscreed_dx9.exe | 
"{5B8EE4E6-05C3-48DF-B076-22448FF48BE6}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\payday the heist\payday_win32_release.exe | 
"{5D10BCE3-E103-4023-BC78-1ECBD172D97D}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\alpha protocol\aplauncher.exe | 
"{5D2F953C-782A-4F37-8173-56DB75ABE066}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | 
"{631B5099-F496-4838-A980-C69EAEF66A21}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\back to the future 104\backtothefuture104.exe | 
"{6578D98A-7F73-4D3F-A63A-7E18158235E4}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\sniper ghost warrior\sniper_x86.exe | 
"{6A29B17E-DFA5-424B-8A11-22143AF8155A}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\alpha protocol\aplauncher.exe | 
"{6A2D50EE-163B-4A4B-BFF9-FC0D413B9258}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\grand theft auto iv\gtaiv\launchgtaiv.exe | 
"{6DA94852-F93D-419D-887F-FB39B433E9CF}" = protocol=17 | dir=in | app=d:\spiele\assassin's creed\assassinscreed_dx10.exe | 
"{6FC8663D-647B-42D9-B831-F28D518A2EA0}" = protocol=6 | dir=in | app=d:\spiele\assassin's creed\assassinscreed_launcher.exe | 
"{705F22E6-7F75-45E0-B14A-4CD90E3EF787}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | 
"{75F94FBB-97AE-4929-848E-630759008D0B}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\monkey2\monkey2.exe | 
"{7F6EA167-3094-4E6D-806C-E941B01BB69C}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\portal 2\portal2.exe | 
"{8143D15A-6630-4E99-84EE-7CEF8B755532}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{847B64BB-A7AF-4627-A0E7-2229D8E0A730}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\hitman 2 silent assassin\config.exe | 
"{851E4302-97EF-4BBF-BD2A-F26C6E4757F1}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\hitman codename 47\setup.exe | 
"{8CB150E2-94A7-45CA-8001-24841AF61D61}" = protocol=17 | dir=in | app=c:\windows\syswow64\pnkbstra.exe | 
"{8DF07C7E-3341-4409-899B-8148DF6E6110}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\homefront\binaries\homefront.exe | 
"{904552E8-47DA-4C82-A671-3708FD8494AE}" = protocol=17 | dir=in | app=d:\spiele\anno 1701\anno1701addon.exe | 
"{9080CA90-8648-4FF2-8DC8-B4D439209A82}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\kane and lynch dead men\launcher.exe | 
"{90B907C6-DB87-4E05-AECB-927CC72CBA56}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\hitman blood money\configure.exe | 
"{92A6B400-C1A2-41E6-ABCC-EB22C31267B7}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\company of heroes\reliccoh.exe | 
"{9349528C-BF42-48D7-98DF-BA5690F6B01C}" = protocol=6 | dir=in | app=d:\spiele\swat 4\contentexpansion\system\swat4x.exe | 
"{93971A9A-0C2C-48A5-97F4-7323357A362F}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | 
"{96374FEC-0D84-4A36-8DF3-22E0292DC0A7}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{9774F7DF-8390-4EF2-81C4-19959AFF5FB3}" = protocol=17 | dir=in | app=d:\spiele\assassin's creed\assassinscreed_launcher.exe | 
"{9ABD2802-9D19-4CC0-9E57-34AF893C6E85}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\mafia ii\pc\mafia2.exe | 
"{9EA45C0F-5D02-4554-B969-527928D20FD4}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\hitman codename 47\hitman.exe | 
"{9FDF3C39-A9B6-4759-AE22-5166FFA6A0BF}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\back to the future 105\backtothefuture105.exe | 
"{A94FA238-746B-45DA-BB84-30A694491BF3}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\crysis\bin32\crysis.exe | 
"{AA03C5FC-6199-4094-B098-597D57BE26F6}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\deponia\deponia.exe | 
"{AAC4D4A0-7FBF-49E4-A3F6-20B3A3916FC3}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{AACA57EC-C960-4820-A150-24B5B79D7661}" = protocol=17 | dir=in | app=d:\spiele\swat 4\contentexpansion\system\swat4xdedicatedserver.exe | 
"{AB1D2C81-4A10-486D-ABE4-7F3E29B8E66E}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\hitman 2 silent assassin\config.exe | 
"{AB73A9A5-D75F-4644-A633-039DB11CC8E2}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\deponia\deponia.exe | 
"{ACC4C9F9-CC06-43CC-8EB9-F322FE8C9A9A}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\tom clancy's splinter cell conviction\src\system\conviction_game.exe | 
"{AFC27A67-404D-41E5-94AD-CCD36B143D32}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\monkey2\monkey2.exe | 
"{B1DFF562-C1ED-4A4A-9460-F76F392853A2}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\back to the future ep 2\backtothefuture102.exe | 
"{B26D2BC2-2BF1-4109-9120-EC6FADE9645A}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\magic the gathering dotp 2012\magic_2012.exe | 
"{B333A5BC-D2F2-4CC9-802F-771979B6D7ED}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\duke nukem forever\system\dukeforever.exe | 
"{B34D604F-D882-461D-A6B7-070A11E1BE28}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\kane & lynch 2 - dog days\kl2.exe | 
"{B4219F1E-4886-49D5-A33E-36633D813EE7}" = protocol=6 | dir=in | app=c:\windows\syswow64\pnkbstra.exe | 
"{B5467866-E40A-47E9-8798-15029CFF6896}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\crysis\bin32\crysis.exe | 
"{BB29C7D6-84A4-4304-8628-5EA95DD9149D}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\the secret of monkey island special edition\mise.exe | 
"{C0430A13-CAB9-4315-BA3D-8175E6AA41F1}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft games\age of empires iii\age3.exe | 
"{C4453E41-C3CB-40AE-AF6D-AB5A7898E94B}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\borderlands\binaries\borderlands.exe | 
"{C5FE996A-03A5-481D-8A59-9DFF1227A091}" = protocol=6 | dir=in | app=d:\spiele\assassin's creed\assassinscreed_dx9.exe | 
"{C8DAFBD4-9145-4D8A-8A79-C0B2E984FE1B}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\borderlands\binaries\borderlands.exe | 
"{CA893709-CB0E-4007-9CAD-A9645C3CD7E7}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | 
"{D0B10893-AE01-4D19-83E9-361408D60454}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe | 
"{D37FB6C7-FF23-49EB-A325-5F8CD97A2BA2}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\mafia ii\pc\mafia2.exe | 
"{D46236CC-8BF1-4D91-847C-2213E65AD41B}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\grand theft auto iv\gtaiv\launchgtaiv.exe | 
"{D9CC81A6-2B02-4A6A-A8E7-C5C241D9930F}" = protocol=6 | dir=in | app=d:\spiele\two worlds\twoworlds.exe | 
"{DCE79EB0-5816-4F1D-A588-3E9001DF5083}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steam.exe | 
"{DF0443C4-2338-4D45-A034-EEAA6CAD1B46}" = dir=in | app=c:\program files (x86)\common files\apple\apple application support\webkit2webprocess.exe | 
"{E47A47C6-0615-467D-8FBE-EBCCFD84A075}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\kane and lynch dead men\launcher.exe | 
"{E95CA024-DB83-432E-8551-D62B78EADD32}" = protocol=6 | dir=in | app=d:\spiele\anno 1701\anno1701addon.exe | 
"{E9FBFBCD-4049-4BFF-B9D5-1A604E0F3A61}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\payday the heist\payday_win32_release.exe | 
"{EB754829-CF0F-4F8B-A5B9-F167729BBAE2}" = dir=in | app=c:\program files (x86)\itunes\itunes.exe | 
"{EC1679E3-EB0D-4446-A1E2-658B186EDB87}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{EE44659C-320D-4713-A416-5CE271854F52}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft games\age of empires iii\age3.exe | 
"{F16E5F77-3B09-4061-BE81-C7BD1856126C}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\left 4 dead 2\left4dead2.exe | 
"{F213F7E5-BD67-410A-A2E5-BF9F3C36601B}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\back to the future ep 2\backtothefuture102.exe | 
"{F3D6D842-C4AD-405E-AFDE-229DC917BE77}" = protocol=17 | dir=in | app=d:\spiele\steam\steamapps\common\hitman 2 silent assassin\hitman2.exe | 
"{F87FA210-5685-4FD8-B1D3-359323066866}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\kane & lynch 2 - dog days\kl2.exe | 
"{FD00119A-9A3B-4328-90DE-F0DF641C45A1}" = protocol=1 | dir=in | name=sisoftware sandra agent service (icmp-in) | 
"{FEBF7C95-48F2-4B66-9753-60908533F479}" = protocol=6 | dir=in | app=d:\spiele\steam\steamapps\common\the secret of monkey island special edition\mise.exe | 
"TCP Query User{6BED8B39-803E-40E3-8266-9D8F94E72CDD}C:\programdata\kaspersky lab setup files\kaspersky internet security 2009\german\setup.exe" = protocol=6 | dir=in | app=c:\programdata\kaspersky lab setup files\kaspersky internet security 2009\german\setup.exe | 
"TCP Query User{9E43448B-6A55-4B81-BC2F-5DACF760AC09}C:\program files (x86)\gigabyte\@bios\gwflash.exe" = protocol=6 | dir=in | app=c:\program files (x86)\gigabyte\@bios\gwflash.exe | 
"TCP Query User{AE1F52FC-81CF-4053-B6BF-2F97D93E9275}C:\program files (x86)\gigabyte\et6\gbtupd.exe" = protocol=6 | dir=in | app=c:\program files (x86)\gigabyte\et6\gbtupd.exe | 
"TCP Query User{F659A909-4C8C-4373-9CFE-99E6AAE9DB06}C:\program files (x86)\gigabyte\et6\updexe.exe" = protocol=6 | dir=in | app=c:\program files (x86)\gigabyte\et6\updexe.exe | 
"UDP Query User{4A61A90E-D143-4B62-BAE8-408881A23824}C:\program files (x86)\gigabyte\et6\updexe.exe" = protocol=17 | dir=in | app=c:\program files (x86)\gigabyte\et6\updexe.exe | 
"UDP Query User{9CFF3651-695B-49BE-884D-BF0AACD023BD}C:\program files (x86)\gigabyte\et6\gbtupd.exe" = protocol=17 | dir=in | app=c:\program files (x86)\gigabyte\et6\gbtupd.exe | 
"UDP Query User{A6EE44AC-AEC9-45F9-B76A-6E6493729D54}C:\programdata\kaspersky lab setup files\kaspersky internet security 2009\german\setup.exe" = protocol=17 | dir=in | app=c:\programdata\kaspersky lab setup files\kaspersky internet security 2009\german\setup.exe | 
"UDP Query User{C0C3BD5B-65B4-4B22-A533-5E9C972A83E7}C:\program files (x86)\gigabyte\@bios\gwflash.exe" = protocol=17 | dir=in | app=c:\program files (x86)\gigabyte\@bios\gwflash.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{042B10AA-8233-A9E0-4DEB-B7253C686DBB}" = AMD Fuel
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{26A24AE4-039D-4CA4-87B4-2F86417005FF}" = Java(TM) 7 Update 5 (64-bit)
"{350AA351-21FA-3270-8B7A-835434E766AD}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022
"{46DA7FD9-8BC1-7BA8-98D1-27F46647871B}" = AMD Catalyst Install Manager
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{503F672D-6C84-448A-8F8F-4BC35AC83441}" = AMD APP SDK Runtime
"{56F26668-13DA-497A-883F-61434A10CBAB}" = MobileMe Control Panel
"{57580625-C673-7FEA-8791-E84B7AAF5069}" = ccc-utility64
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{77B8B4A5-EE79-4907-A318-2DA86325B8D7}" = iTunes
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{9B48B0AC-C813-4174-9042-476A887592C7}" = Windows Live ID Sign-in Assistant
"{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
"{C1E4D639-4A33-4314-809E-89BD0EF48522}" = Windows Home Server 2011 Connector
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D954C6C2-544B-4091-A47F-11E77162883E}" = Microsoft Security Client
"{DA0D6B4B-EED6-4EE8-9ECF-0F7D83F5E0CE}" = Lights-Out Client x64
"{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319
"{E5C95CA5-4565-4B9D-97ED-05088D775614}" = Apple Mobile Device Support
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"CCleaner" = CCleaner
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft Security Client" = Microsoft Security Essentials
"TeamSpeak 3 Client" = TeamSpeak 3 Client
"WinRAR archiver" = WinRAR
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01521746-02A6-4A72-00BD-A285DF6B80C6}" = Die Sims 2: Wilde Campus-Jahre
"{02B244A2-7F6A-42E8-A36F-8C385D7A1625}" = Gothic III
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{07300F01-89CA-4CF8-92BD-2A605EB83C95}" = EasySaver B8.1124.1 
"{086BADF8-9B1F-4E89-B207-2EDA520972D6}" = Grand Theft Auto San Andreas
"{0E64B098-8018-4256-BA23-C316A43AD9B0}" = QuickTime
"{0F7A6FD0-87F5-FB5D-973C-CF604DE1BC6B}" = CCC Help Polish
"{11083C7A-D0D6-4DA4-8C3A-74B8389EC07B}" = ATI Catalyst Registration
"{16D2C649-CBA8-44EE-B730-12584667D487}" = Stronghold 2
"{1A9BE3D6-4D53-2C9D-B77D-562D85936B91}" = CCC Help Norwegian
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{210DFA65-F805-1A2B-4F83-8E27279AE385}" = Catalyst Control Center Graphics Previews Common
"{26A24AE4-039D-4CA4-87B4-2F83217017FF}" = Java 7 Update 17
"{29822CAD-C76A-0BEE-55F5-AAA524DA814F}" = CCC Help Greek
"{2C9EE786-1DDB-4C98-8FA4-B1B9B5A66B77}" = Microsoft Games for Windows - LIVE
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java(TM) 6 Update 2
"{35A0C956-ACF1-41AB-89DE-1772C8A27ACB}" = Dracula Origin
"{3A1293DF-7D09-BB0F-9576-EC47EE4A9362}" = CCC Help Italian
"{457D7505-D665-4F95-91C3-ECB8C56E9ACA}" = Easy Tune 6 B08.1124.1
"{47416F0B-6589-591E-C6F8-4235D2230B14}" = Catalyst Control Center InstallProxy
"{4817189D-1785-4627-A33C-39FD90919300}" = Die Sims™ 2 Haustiere
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{543E938C-BDC4-4933-A612-01293996845F}" = UnloadSupport
"{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6.5
"{625FC7D1-656D-1BEC-F86F-3EACAFDAA8FE}" = CCC Help English
"{64467D47-FFE4-4FBC-ABBA-A0DB829A17EB}" = NVIDIA PhysX
"{65163326-FA1A-4385-8668-83AFEEAE96AF}" = FreeUndelete 2.0.35248.1
"{6522C636-B04C-4333-9BEB-9E0C0B6350D6}" = Die Sims™ 2 Küchen- und Bad-Einrichtungs-Accessoires
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6AFCA4E1-9B78-3640-8F72-A7BF33448200}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{6B9B0C6F-E5FA-4633-A640-AB98A272ECCA}" = Safari
"{6BDD9CE6-D0A6-478A-BAD3-BA6945E89EB0}" = Die Sims 2: Family Fun - Accessoires
"{6E7DD182-9FC6-4651-0095-2E666CC6AF35}" = Die Sims 2
"{70F8B183-99EB-4304-BA35-080E2DFFD2A3}" = Age of Empires III
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{71828142-5A24-4BD0-97E7-976DA08CE6CF}" = Die Sims™ 3 Luxus-Accessoires
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7351EEF8-9D6C-5F46-5A19-F2C7456CE132}" = CCC Help German
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7B3577F5-1D82-4C9B-008B-69D026FD8BCA}" = Die Sims 2: Open For Business
"{7F172E34-4107-8964-6AEA-5051FFD265FF}" = CCC Help Portuguese
"{7F752BAB-4AFD-4138-983D-7E9E7CFE077D}" = GameSpy Comrade
"{82EF29B1-9B60-4142-A155-0599216DD053}" = LightScribe System Software
"{832D9DE0-8AFC-4689-9819-4DBBDEBD3E4F}" = Microsoft Games for Windows - LIVE Redistributable
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{86095E92-1959-8364-920E-82E81F64F8FB}" = AMD VISION Engine Control Center
"{87885939-F824-42bf-B790-231B1E8EF2BB}" = dj_sf_software
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver
"{89D05F35-933A-89C0-B935-C92BEE4229BD}" = CCC Help French
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8CFA9151-6404-409A-AF22-4632D04582FD}" = Assassin's Creed
"{8E1CCF20-9E12-4824-BD59-7AD9E0486DD8}" = SWAT 4
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{905D4F6B-FADC-4CA4-AA41-BD32A2E446CE}" = Anno 1701 - Der Fluch des Drachen
"{910F4A29-1134-49E0-AD8B-56E4A3152BD1}" = Die Sims™ 3 Traumkarrieren
"{91120407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{959E4378-CCA1-E4E4-2425-793DA92E8D95}" = CCC Help Czech
"{96BB3C67-4EB4-9757-E0C2-C0D2FE9053B1}" = CCC Help Turkish
"{974F4B73-2017-E174-9070-3F58F01B341F}" = CCC Help Danish
"{97E12F84-C033-4DA2-97D2-F540C3E292EA}" = Installer
"{98E20A18-3C29-86FA-50B4-918C2B34A082}" = CCC Help Hungarian
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9CDBC303-3EED-40b0-8E41-A7C65AA96C26}" = Die Sims™ 2: Glamour-Accessoires
"{9E2E5EB3-DC6E-9277-E9DB-13175E7DDA39}" = CCC Help Dutch
"{A2433A63-5F5D-40E5-B529-9123C2B3E734}" = Anno 1701
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AAACC0A5-4382-04D0-C75E-0669C7B949B6}" = CCC Help Japanese
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.4) - Deutsch
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{ACEF4078-9B86-2455-E18D-34D52D37D9D5}" = CCC Help Chinese Standard
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B2DC3F08-2EB2-49A5-AA24-15DFC8B1CB83}" = @BIOS Ver.2.04
"{B55FB422-B803-11F5-5582-B3666EA1B9AC}" = Catalyst Control Center Localization All
"{B6A24D2D-1ADB-4553-87FD-38F3FAADC18E}_is1" = The Book of Unwritten Tales 1.0.0.0
"{B8010864-15F8-613B-20EF-AC35B14B3E0D}" = CCC Help Russian
"{BA26FFA5-6D47-47DB-BE56-34C357B5F8CC}" = Die Sims™ 3 Reiseabenteuer
"{BD136CE7-6666-4273-A056-8D92F8625AAB}" = Sun ODF Plugin for Microsoft Office 3.2
"{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = Die Sims™ 3
"{C1342411-5A98-DE8A-5629-D0C518E1C280}" = CCC Help Finnish
"{D08B4177-5160-6B66-8934-2F9012134D61}" = CCC Help Thai
"{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}" = Microsoft Primary Interoperability Assemblies 2005
"{D34A6029-FB1A-9EA8-A938-5393F82A3A00}" = CCC Help Korean
"{D9E52CD1-9DF1-4A8A-9BDC-1E5E53982F2B}" = Black & White® 2
"{DF315348-721C-40B8-BAE2-58C6C7D935A2}" = Empire Earth II
"{DFEF49D9-FC95-4301-99B9-2FB91C6ABA06}" = Die Sims™ 2 Vier Jahreszeiten
"{E2F0AF23-FE2F-4222-9A43-55E63CC41EF1}" = Catalyst Control Center - Branding
"{E3A09D13-4D40-3CF8-7D32-8BD55F8D1533}" = CCC Help Spanish
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F2C35491-9323-3AE7-6023-6B4128045153}" = CCC Help Swedish
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{F7529650-B9DB-481B-0089-A2AC3C2821C1}" = Die Sims 2: Nightlife
"{FC66A32F-1A57-AC5C-4F12-DAC2F4CB77A0}" = CCC Help Chinese Traditional
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"350.000 Premium Cliparts_is1" = DATA BECKER 350.000 Premium Cliparts
"A Vampyre Story" = A Vampyre Story
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"AnyDVD" = AnyDVD
"Art of Murder/DE-German_is1" = Die Kunst des Mordens: Geheimakte FBI
"Ceville" = Ceville 1.0
"CloneDVD2" = CloneDVD2
"Das Vermächtnis - Testament of Sin_is1" = Das Vermächtnis - Testament of Sin (1.0)
"GameSpy Arcade" = GameSpy Arcade
"Google Chrome" = Google Chrome
"InstallShield_{457D7505-D665-4F95-91C3-ECB8C56E9ACA}" = Easy Tune 6 B08.1124.1
"InstallShield_{70F8B183-99EB-4304-BA35-080E2DFFD2A3}" = Age of Empires III
"InstallShield_{8E1CCF20-9E12-4824-BD59-7AD9E0486DD8}" = SWAT 4
"InstallShield_{97E12F84-C033-4DA2-97D2-F540C3E292EA}" = SWAT 4 - THE STETCHKOV SYNDICATE
"Jack Keane" = Jack Keane
"Mein CEWE FOTOBUCH" = Mein CEWE FOTOBUCH
"Mozilla Firefox 19.0.2 (x86 de)" = Mozilla Firefox 19.0.2 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Network Print Monitor" = Network Print Monitor for Windows
"OpenAL" = OpenAL
"Paradise City_is1" = Escape From Paradise City 1.0.0
"S2TNG" = Die Siedler II - Die nächste Generation
"So Blonde" = So Blonde
"StarCraft" = StarCraft
"StarCraft II" = StarCraft II
"StarCraft II Beta" = StarCraft II Beta
"Tales of Monkey Island" = Tales of Monkey Island
"Theme Park World" = Theme Park World
"Treasure Island" = Treasure Island
"Two Worlds" = Two Worlds
"WinAce Archiver" = WinAce Archiver
"Winamp" = Winamp
"Xfire" = Xfire (remove only)
"Xvid_is1" = Xvid 1.2.2 final uninstall
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 31.12.2007 18:24:42 | Computer Name = Desktop01 | Source = .NET Runtime | ID = 1025
Description = 
 
Error - 31.12.2007 18:25:14 | Computer Name = Desktop01 | Source = .NET Runtime | ID = 1026
Description = 
 
Error - 31.12.2007 18:31:55 | Computer Name = Desktop01 | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 31.12.2007 18:36:07 | Computer Name = Desktop01 | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 31.12.2007 18:36:07 | Computer Name = Desktop01 | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 31.12.2007 18:36:11 | Computer Name = Desktop01 | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 31.12.2007 18:36:12 | Computer Name = Desktop01 | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 31.12.2007 18:37:04 | Computer Name = Desktop01 | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 31.12.2007 18:37:13 | Computer Name = Desktop01 | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 31.12.2007 18:37:14 | Computer Name = Desktop01 | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 13.07.2012 13:12:07 | Computer Name = Desktop01 | Source = WinMgmt | ID = 10
Description = 
 
[ System Events ]
Error - 04.04.2013 12:41:40 | Computer Name = Desktop01 | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 06.04.2013 04:49:22 | Computer Name = Desktop01 | Source = Service Control Manager | ID = 7009
Description = 
 
Error - 06.04.2013 04:49:22 | Computer Name = Desktop01 | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 07.04.2013 03:42:48 | Computer Name = Desktop01 | Source = Service Control Manager | ID = 7009
Description = 
 
Error - 07.04.2013 03:42:48 | Computer Name = Desktop01 | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 07.04.2013 07:04:29 | Computer Name = Desktop01 | Source = Service Control Manager | ID = 7011
Description = 
 
Error - 07.04.2013 07:06:19 | Computer Name = Desktop01 | Source = Service Control Manager | ID = 7009
Description = 
 
Error - 07.04.2013 07:06:19 | Computer Name = Desktop01 | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 07.04.2013 07:24:08 | Computer Name = Desktop01 | Source = Service Control Manager | ID = 7009
Description = 
 
Error - 07.04.2013 07:24:08 | Computer Name = Desktop01 | Source = Service Control Manager | ID = 7000
Description = 
 
[ WSSG Events ]
Error - 21.01.2012 13:25:59 | Computer Name = Desktop01 | Source = Windows Server | ID = 268370434
Description = Der Sicherungsauftrag 0 auf "" war nicht erfolgreich.   Grund: ServerUnreachable,
 System.String[]
 
Error - 22.01.2012 07:55:38 | Computer Name = Desktop01 | Source = Windows Server | ID = 268370434
Description = Der Sicherungsauftrag 0 auf "" war nicht erfolgreich.   Grund: ServerUnreachable,
 System.String[]
 
Error - 23.01.2012 04:50:02 | Computer Name = Desktop01 | Source = Windows Server | ID = 268370434
Description = Der Sicherungsauftrag 0 auf "" war nicht erfolgreich.   Grund: ServerUnreachable,
 System.String[]
 
Error - 31.01.2012 14:47:21 | Computer Name = Desktop01 | Source = Windows Server | ID = 268370434
Description = Der Sicherungsauftrag 0 auf "" war nicht erfolgreich.   Grund: ServerUnreachable,
 System.String[]
 
Error - 02.02.2012 07:23:01 | Computer Name = Desktop01 | Source = Windows Server | ID = 268370434
Description = Der Sicherungsauftrag 0 auf "" war nicht erfolgreich.   Grund: ServerUnreachable,
 System.String[]
 
Error - 02.02.2012 08:21:16 | Computer Name = Desktop01 | Source = Windows Server | ID = 268370434
Description = Der Sicherungsauftrag 0 auf "" war nicht erfolgreich.   Grund: ServerUnreachable,
 System.String[]
 
Error - 02.02.2012 10:21:16 | Computer Name = Desktop01 | Source = Windows Server | ID = 268370434
Description = Der Sicherungsauftrag 0 auf "" war nicht erfolgreich.   Grund: ServerUnreachable,
 System.String[]
 
Error - 06.02.2012 12:59:29 | Computer Name = Desktop01 | Source = Windows Server | ID = 268370434
Description = Der Sicherungsauftrag 0 auf "" war nicht erfolgreich.   Grund: ServerUnreachable,
 System.String[]
 
Error - 08.02.2012 10:19:00 | Computer Name = Desktop01 | Source = Windows Server | ID = 268370434
Description = Der Sicherungsauftrag 0 auf "" war nicht erfolgreich.   Grund: ServerUnreachable,
 System.String[]
 
Error - 17.02.2012 10:34:55 | Computer Name = Desktop01 | Source = Windows Server | ID = 268370434
Description = Der Sicherungsauftrag 0 auf "" war nicht erfolgreich.   Grund: ServerUnreachable,
 System.String[]
 
 
< End of report >
         
Bei GMER klappt das mit Save.. nicht ich habe dann auf Copy gedrückt, hoffe das geht auch?
Code:
ATTFilter
GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-04-12 00:52:27
Windows 6.0.6002 Service Pack 2 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD6400AAKS-00A7B0 rev.01.03B01 596,17GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\Admin\AppData\Local\Temp\fxlirpoc.sys


---- Kernel code sections - GMER 2.1 ----

INITKDBG  C:\Windows\system32\ntoskrnl.exe                                                                                        suspicious modification
INITKDBG  C:\Windows\system32\ntoskrnl.exe                                                                                        suspicious modification
INITKDBG  C:\Windows\system32\ntoskrnl.exe                                                                                        suspicious modification
INITKDBG  C:\Windows\system32\ntoskrnl.exe                                                                                        suspicious modification
INITKDBG  C:\Windows\system32\ntoskrnl.exe                                                                                        suspicious modification

---- Registry - GMER 2.1 ----

Reg       HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{92bc8b8a-9b7f-4a35-9dd2-8a56698653b9}@Dhcpv6State  0

---- EOF - GMER 2.1 ----
         
Ist der Rechner soweit OK? Weil dan würde ich mit dem Infizierten weitermachen!?

Vielen Dank schon mal für eure Hilfe

Gruß
MaLi

Alt 12.04.2013, 01:47   #2
aharonov
/// TB-Ausbilder
 
Telekom Brief Zeus/Zbot - Standard

Telekom Brief Zeus/Zbot



Hallo MaLi,

Zitat:
Komisch dachte ich mir nur, dachte immer die Quarantäne ist sicher?
Das ist sie auch. In Quarantäne hat das Ding gar nichts mehr angestellt, aber wer weiss, wie lange er zuvor bereits gewirkt hat, ehe ihn MSE erkannt hat..?

Zitat:
Ich habe sofort auf der Arbeit an einem neutralen Rechner all unsere Passwörter geändert


Zitat:
Da ich nicht sicher bin ob der Trojaner sich auch auf meinem Rechner ausgebreitet hat
Dieser Typ Malware hat keinen Ausbreitungsmechanismus. Und diese Logs sehen auch unauffällig aus. Mach bitte die selben Scans nochmals am infizierten Rechner. Dann können wir kontrollieren, ob alles erwischt wurde oder noch was zu sehen ist.
__________________

__________________

Alt 12.04.2013, 18:39   #3
Malibouman
 
Telekom Brief Zeus/Zbot - Standard

Telekom Brief Zeus/Zbot



Hallo erstmal danke für die schnelle Antwort.

Ich war etwas verunsichert da GMER meinte ein paar Dateien wären modifiziert?!
Aber du bist der Experte , hat mich schon einmal etwas beruhigt, denn ich tausche öfter Daten über usb Sticks bei den Rechnern und wären beide infiziert wäre das sehr ärgerlich.

So sorry das es bissel länger gedauert die Arbeit hehe... hier die Loggs des infizierten PC's.

defrogger.txt
Code:
ATTFilter
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 00:22 on 12/04/2013 (Nisi)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-
         
OTL.txt
Code:
ATTFilter
OTL logfile created on: 12.04.2013 00:22:43 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Nisi\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
7,90 Gb Total Physical Memory | 5,41 Gb Available Physical Memory | 68,45% Memory free
15,79 Gb Paging File | 12,78 Gb Available in Paging File | 80,95% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 679,00 Gb Total Space | 570,56 Gb Free Space | 84,03% Space Free | Partition Type: NTFS
 
Computer Name: NISI-PC | User Name: Nisi | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\Nisi\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\Freetec\SystemStore\SystemStore.exe ()
PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
PRC - C:\Program Files (x86)\Nero\Update\NASvc.exe (Nero AG)
PRC - C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE ()
PRC - C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE (SoftThinks SAS)
PRC - C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE (SoftThinks - Dell)
PRC - C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe ()
PRC - C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe ()
PRC - C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe (Creative Technology Ltd)
PRC - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation)
PRC - C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe ()
PRC - C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe ()
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\9266d6e1f8057b5b62b460cbf33cda21\System.WorkflowServices.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\5ecf01964c70e453d71e5d7653912ff9\System.Web.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\cb562e2e4f74ae607f1186f6ec50cec7\System.Windows.Forms.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\1e04a5319c58010e945220af2751d34e\System.ServiceModel.Web.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\25cfdeaf091f16f3f3a7123a91a179ab\System.Xml.Linq.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\77dfcfed5fd5f67d0d3edc545935bb21\System.Core.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\3e79256ce40faa9682f9e3511ca115ea\System.ServiceModel.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\2ad51da1b752b19c992fcefd56eb7c01\System.Runtime.Serialization.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\219c68f83fa608b496b163fd6782e696\System.IdentityModel.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\eb33bf977e97e97b12e82c18e36fbaee\SMDiagnostics.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\d7d20811a7ce7cc589153648cbb1ce5c\PresentationFramework.Aero.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\ff7c9a4f41f7cccc47e696c11b9f8469\PresentationFramework.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\eead6629e384a5b69f9ae35284b7eeed\System.Drawing.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\19b3d17c3ce0e264c4fb62028161adf7\PresentationCore.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\cf827fe7bc99d9bcf0ba3621054ef527\WindowsBase.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\f687c43e9fdec031988b33ae722c4613\System.Xml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\195a77fcc6206f8bb35d419ff2cf0d72\System.Configuration.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\369f8bdca364e2b4936d18dea582912c\System.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7150b9136fad5b79e88f6c7f9d3d2c39\mscorlib.ni.dll ()
MOD - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_de_b77a5c561934e089\mscorlib.resources.dll ()
MOD - C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE ()
MOD - C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe ()
MOD - C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe ()
MOD - C:\Program Files (x86)\Dell\Stage Remote\DataService.dll ()
MOD - C:\Program Files (x86)\Dell\Stage Remote\de-DE\UI\ManagerUI.dll ()
MOD - C:\Program Files (x86)\Dell\Stage Remote\sqlite3.dll ()
MOD - C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll ()
MOD - C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe ()
MOD - c:\program files (x86)\common files\roxio shared\dllshared\SQLite352.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\System.ServiceModel.resources\3.0.0.0_de_b77a5c561934e089\System.ServiceModel.resources.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\System.resources\2.0.0.0_de_b77a5c561934e089\System.resources.dll ()
MOD - C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe ()
MOD - C:\Program Files (x86)\Dell\Stage Remote\QtGui4.dll ()
MOD - C:\Program Files (x86)\Dell\Stage Remote\QtXml4.dll ()
MOD - C:\Program Files (x86)\Dell\Stage Remote\QtNetwork4.dll ()
MOD - C:\Program Files (x86)\Dell\Stage Remote\QtCore4.dll ()
MOD - C:\Program Files (x86)\Dell\Stage Remote\plugins\imageformats\qmng4.dll ()
MOD - C:\Program Files (x86)\Dell\Stage Remote\plugins\imageformats\qgif4.dll ()
MOD - C:\Program Files (x86)\Dell\Stage Remote\plugins\imageformats\qjpeg4.dll ()
MOD - C:\Program Files (x86)\Dell\Stage Remote\plugins\imageformats\qico4.dll ()
 
 
========== Services (SafeList) ==========
 
SRV:64bit: - (NisSrv) -- c:\Program Files\Microsoft Security Client\NisSrv.exe (Microsoft Corporation)
SRV:64bit: - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV:64bit: - (WhsMcClient) -- C:\Program Files\Windows Server\Bin\WhsMcClient.exe (Microsoft Corporation)
SRV:64bit: - (arXfrSvc) -- C:\Program Files\Windows Server\Bin\Microsoft.HomeServer.Archive.TransferService.exe (Microsoft Corporation)
SRV:64bit: - (ServiceProviderRegistry) -- C:\Program Files\Windows Server\Bin\ProviderRegistryService.exe (Microsoft Corporation)
SRV:64bit: - (AMPPALR3) -- C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe (Intel Corporation)
SRV:64bit: - (EvtEng) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel(R) Corporation)
SRV:64bit: - (MyWiFiDHCPDNS) -- C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe ()
SRV:64bit: - (RegSrvc) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel(R) Corporation)
SRV:64bit: - (LoClntService) -- C:\Program Files\Windows Server\Bin\LightsOutClientService.exe (AxoNet Software GmbH)
SRV:64bit: - (BTHSSecurityMgr) -- C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe (Intel(R) Corporation)
SRV:64bit: - (LANConfig) -- C:\Program Files\Windows Server\Bin\LANConfigSvc.exe (Microsoft Corporation)
SRV:64bit: - (WSS_ComputerBackupProviderSvc) -- C:\Program Files\Windows Server\Bin\SharedServiceHost.exe (Microsoft Corporation)
SRV:64bit: - (SqmProviderSvc) -- C:\Program Files\Windows Server\Bin\SharedServiceHost.exe (Microsoft Corporation)
SRV:64bit: - (providers_system) -- C:\Program Files\Windows Server\Bin\SharedServiceHost.exe (Microsoft Corporation)
SRV:64bit: - (NotificationsProviderSvc) -- C:\Program Files\Windows Server\Bin\SharedServiceHost.exe (Microsoft Corporation)
SRV:64bit: - (initMonitor) -- C:\Program Files\Windows Server\Bin\SharedServiceHost.exe (Microsoft Corporation)
SRV:64bit: - (HealthAlertsSvc) -- C:\Program Files\Windows Server\Bin\SharedServiceHost.exe (Microsoft Corporation)
SRV:64bit: - (WSConnectorUpdate) -- C:\Program Files\Windows Server\Bin\WSConnectorUpdate.exe (Microsoft Corporation)
SRV:64bit: - (TurboBoost) -- C:\Program Files\Intel\TurboBoost\TurboBoost.exe (Intel(R) Corporation)
SRV:64bit: - (wlcrasvc) -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe (Microsoft Corporation)
SRV:64bit: - (AERTFilters) -- C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe (Andrea Electronics Corporation)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MBAMService) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MBAMScheduler) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
SRV - (Steam Client Service) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (SystemStoreService) -- C:\Program Files (x86)\Freetec\SystemStore\SystemStore.exe ()
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (SelfUpdateService) -- C:\Program Files (x86)\Freetec\SystemStore\SelfUpdate.exe ()
SRV - (nvUpdatusService) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation)
SRV - (Stereo Service) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
SRV - (MozillaMaintenance) -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (SkypeUpdate) -- C:\Program Files (x86)\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (NAUpdate) -- C:\Program Files (x86)\Nero\Update\NASvc.exe (Nero AG)
SRV - (SftService) -- C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE (SoftThinks SAS)
SRV - (Bluetooth OBEX Service) -- C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe (Intel Corporation)
SRV - (Bluetooth Media Service) -- C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe (Intel Corporation)
SRV - (Bluetooth Device Monitor) -- C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe (Intel Corporation)
SRV - (UNS) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation)
SRV - (LMS) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation)
SRV - (RoxWatch12) -- C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe (Sonic Solutions)
SRV - (RoxMediaDB12OEM) -- C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe (Sonic Solutions)
SRV - (NOBU) -- C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe (Dell, Inc.)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - (MBAMProtector) -- C:\Windows\SysNative\drivers\mbam.sys (Malwarebytes Corporation)
DRV:64bit: - (NisDrv) -- C:\Windows\SysNative\drivers\NisDrvWFP.sys (Microsoft Corporation)
DRV:64bit: - (nvpciflt) -- C:\Windows\SysNative\drivers\nvpciflt.sys (NVIDIA Corporation)
DRV:64bit: - (nvkflt) -- C:\Windows\SysNative\drivers\nvkflt.sys (NVIDIA Corporation)
DRV:64bit: - (RdpVideoMiniport) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV:64bit: - (TsUsbGD) -- C:\Windows\SysNative\drivers\TsUsbGD.sys (Microsoft Corporation)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (GEARAspiWDM) -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV:64bit: - (acedrv10) -- C:\Windows\SysNative\drivers\acedrv10.sys (Protect Software GmbH)
DRV:64bit: - (acehlp10) -- C:\Windows\SysNative\drivers\acehlp10.sys (Protect Software GmbH)
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (iBtFltCoex) -- C:\Windows\SysNative\drivers\iBtFltCoex.sys (Intel Corporation)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (btmhsf) -- C:\Windows\SysNative\drivers\btmhsf.sys (Intel Corporation)
DRV:64bit: - (AMPPALP) -- C:\Windows\SysNative\drivers\AmpPal.sys (Windows (R) Win 7 DDK provider)
DRV:64bit: - (AMPPAL) -- C:\Windows\SysNative\drivers\AmpPal.sys (Windows (R) Win 7 DDK provider)
DRV:64bit: - (NETwNs64) -- C:\Windows\SysNative\drivers\NETwNs64.sys (Intel Corporation)
DRV:64bit: - (igfx) -- C:\Windows\SysNative\drivers\igdkmd64.sys (Intel Corporation)
DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\drivers\Rt64win7.sys (Realtek                                            )
DRV:64bit: - (btmaux) -- C:\Windows\SysNative\drivers\btmaux.sys (Intel Corporation)
DRV:64bit: - (btmaudio) -- C:\Windows\SysNative\drivers\btmaud.sys (Intel Corporation)
DRV:64bit: - (NVHDA) -- C:\Windows\SysNative\drivers\nvhda64v.sys (NVIDIA Corporation)
DRV:64bit: - (BackupReader) -- C:\Windows\SysNative\drivers\BackupReader.sys (Microsoft Corporation)
DRV:64bit: - (nusb3xhc) -- C:\Windows\SysNative\drivers\nusb3xhc.sys (Renesas Electronics Corporation)
DRV:64bit: - (nusb3hub) -- C:\Windows\SysNative\drivers\nusb3hub.sys (Renesas Electronics Corporation)
DRV:64bit: - (CtClsFlt) -- C:\Windows\SysNative\drivers\CtClsFlt.sys (Creative Technology Ltd.)
DRV:64bit: - (iaStor) -- C:\Windows\SysNative\drivers\iaStor.sys (Intel Corporation)
DRV:64bit: - (SynTP) -- C:\Windows\SysNative\drivers\SynTP.sys (Synaptics Incorporated)
DRV:64bit: - (JMCR) -- C:\Windows\SysNative\drivers\jmcr.sys (JMicron Technology Corporation)
DRV:64bit: - (Acceler) -- C:\Windows\SysNative\drivers\Accelern.sys (ST Microelectronics)
DRV:64bit: - (NvStUSB) -- C:\Windows\SysNative\drivers\nvstusb.sys ()
DRV:64bit: - (TurboB) -- C:\Windows\SysNative\drivers\TurboB.sys (Intel(R) Corporation)
DRV:64bit: - (RMCAST) -- C:\Windows\SysNative\drivers\rmcast.sys (Microsoft Corporation)
DRV:64bit: - (sdbus) -- C:\Windows\SysNative\drivers\sdbus.sys (Microsoft Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (MEIx64) -- C:\Windows\SysNative\drivers\HECIx64.sys (Intel Corporation)
DRV:64bit: - (IntcDAud) -- C:\Windows\SysNative\drivers\IntcDAud.sys (Intel(R) Corporation)
DRV:64bit: - (stdcfltn) -- C:\Windows\SysNative\drivers\stdcfltn.sys (ST Microelectronics)
DRV:64bit: - (qicflt) -- C:\Windows\SysNative\drivers\qicflt.sys (Quanta Computer)
DRV:64bit: - (PxHlpa64) -- C:\Windows\SysNative\drivers\PxHlpa64.sys (Sonic Solutions)
DRV:64bit: - (Impcd) -- C:\Windows\SysNative\drivers\Impcd.sys (Intel Corporation)
DRV:64bit: - (15580312) -- C:\Windows\SysNative\drivers\15580312.sys (Kaspersky Lab)
DRV:64bit: - (15580311) -- C:\Windows\SysNative\drivers\15580311.sys (Kaspersky Lab)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (WimFltr) -- C:\Windows\SysNative\drivers\WimFltr.sys (Microsoft Corporation)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {618E9691-F6C7-48C3-9201-A0670B68E6C7}
IE:64bit: - HKLM\..\SearchScopes\{618E9691-F6C7-48C3-9201-A0670B68E6C7}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {618E9691-F6C7-48C3-9201-A0670B68E6C7}
IE - HKLM\..\SearchScopes\{618E9691-F6C7-48C3-9201-A0670B68E6C7}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
 
 
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-4220994265-1922484629-2558833816-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/USCON/8
IE - HKU\S-1-5-21-4220994265-1922484629-2558833816-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/USCON/8
IE - HKU\S-1-5-21-4220994265-1922484629-2558833816-1001\..\SearchScopes,DefaultScope = {618E9691-F6C7-48C3-9201-A0670B68E6C7}
IE - HKU\S-1-5-21-4220994265-1922484629-2558833816-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-4220994265-1922484629-2558833816-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
========== FireFox ==========
 
FF - prefs.js..browser.search.openintab: true
FF - prefs.js..browser.startup.homepage: "www.google.de"
FF - prefs.js..extensions.enabledAddons: finder@meingutscheincode.de:3.0.3
FF - prefs.js..extensions.enabledAddons: stealthyextension@gmail.com:2.5
FF - prefs.js..extensions.enabledAddons: {8A9386B4-E958-4c4c-ADF4-8F26DB3E4829}:2.6.10
FF - prefs.js..extensions.enabledAddons: {e001c731-5e37-4538-a5cb-8168736a2360}:0.9.9.119
FF - prefs.js..network.proxy.ftp: "188.138.246.47"
FF - prefs.js..network.proxy.ftp_port: 8080
FF - prefs.js..network.proxy.http: "188.138.246.47"
FF - prefs.js..network.proxy.http_port: 8080
FF - prefs.js..network.proxy.no_proxies_on: "localhost, 127.0.0.1, stealthy.co"
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "188.138.246.47"
FF - prefs.js..network.proxy.socks_port: 8080
FF - prefs.js..network.proxy.ssl: "188.138.246.47"
FF - prefs.js..network.proxy.ssl_port: 8080
FF - prefs.js..network.proxy.type: 0
 
 
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_169.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.0: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_169.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.17.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012.07.20 10:43:27 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\msktbird@mcafee.com: C:\Program Files\McAfee\MSK
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012.07.20 10:43:27 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
 
[2011.11.28 21:33:23 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Nisi\AppData\Roaming\mozilla\Extensions
[2013.04.10 21:16:23 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Nisi\AppData\Roaming\mozilla\Firefox\Profiles\z7sfb9dg.default\extensions
[2013.03.08 22:15:29 | 000,000,000 | ---D | M] (PriceGong) -- C:\Users\Nisi\AppData\Roaming\mozilla\Firefox\Profiles\z7sfb9dg.default\extensions\{8A9386B4-E958-4c4c-ADF4-8F26DB3E4829}
[2013.04.10 20:29:56 | 000,000,000 | ---D | M] (Bitdefender QuickScan) -- C:\Users\Nisi\AppData\Roaming\mozilla\Firefox\Profiles\z7sfb9dg.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
[2012.05.15 12:12:50 | 000,105,020 | ---- | M] () (No name found) -- C:\Users\Nisi\AppData\Roaming\mozilla\firefox\profiles\z7sfb9dg.default\extensions\finder@meingutscheincode.de.xpi
[2013.02.10 14:57:53 | 000,185,839 | ---- | M] () (No name found) -- C:\Users\Nisi\AppData\Roaming\mozilla\firefox\profiles\z7sfb9dg.default\extensions\stealthyextension@gmail.com.xpi
[2011.11.28 21:32:58 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions
[2012.07.20 10:43:27 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012.04.10 16:23:30 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.04.10 16:23:30 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012.04.10 16:23:30 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml
[2012.04.10 16:23:30 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.04.10 16:23:30 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.04.10 16:23:30 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2012.08.23 12:03:39 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (PriceGong - Price Comparison) - {1631550F-191D-4826-B069-D9439253D926} - C:\Program Files (x86)\PriceGong\2.6.10\PriceGongIE.dll (PriceGong)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:64bit: - HKLM..\Run: [BTMTrayAgent] C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll (Intel Corporation)
O4:64bit: - HKLM..\Run: [DellStage] C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe ()
O4:64bit: - HKLM..\Run: [FreeFallProtection] C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe ()
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IntelPAN] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel(R) Corporation)
O4:64bit: - HKLM..\Run: [IntelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs" File not found
O4:64bit: - HKLM..\Run: [Launchpad] C:\Program Files\Windows Server\Bin\Launchpad.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [QuickSet] c:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4:64bit: - HKLM..\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [Stage Remote] C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe ()
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [AccuWeatherWidget] C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe ()
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe (Dell, Inc.)
O4 - HKLM..\Run: [Dell Webcam Central] C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [Desktop Disc Tool] C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe ()
O4 - HKLM..\Run: [NeroLauncher] C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe ()
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe (Sonic Solutions)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-4220994265-1922484629-2558833816-1001..\Run: [Steam] C:\Program Files (x86)\Steam\Steam.exe (Valve Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8:64bit: - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000 File not found
O9 - Extra Button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000010 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000010 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16:64bit: - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 10.5.0)
O16:64bit: - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 10.5.0)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 10.17.2)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{46CD7530-E428-4AA1-B771-D02512DEA408}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5AE2C78F-0852-4906-82A1-BCD7DED5A405}: DhcpNameServer = 192.168.2.1
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\oledb - No CLSID value found
O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\mso-offdap11 - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~2\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
O18:64bit: - Protocol\Filter\text/xml - No CLSID value found
O20:64bit: - AppInit_DLLs: (C:\Windows\system32\nvinitx.dll) - C:\Windows\SysNative\nvinitx.dll (NVIDIA Corporation)
O20 - AppInit_DLLs: (C:\Windows\SysWOW64\nvinit.dll) - C:\Windows\SysWOW64\nvinit.dll (NVIDIA Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013.04.12 00:16:43 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Nisi\Desktop\OTL.exe
[2013.04.11 07:22:30 | 000,000,000 | ---D | C] -- C:\Users\Nisi\AppData\Roaming\Malwarebytes
[2013.04.11 07:22:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013.04.11 07:22:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013.04.11 07:22:01 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2013.04.11 07:22:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2013.04.11 07:18:02 | 000,262,560 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaws.exe
[2013.04.11 07:17:50 | 000,095,648 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
[2013.04.11 03:10:30 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2013.04.11 03:10:29 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2013.04.11 03:10:17 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2013.04.11 03:10:15 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2013.04.11 03:10:14 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2013.04.11 03:10:14 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2013.04.11 03:10:14 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2013.04.11 03:10:14 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2013.04.11 03:10:07 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2013.04.11 03:10:07 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2013.04.11 03:10:06 | 002,312,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2013.04.11 03:10:04 | 000,729,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2013.04.11 03:09:55 | 000,717,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2013.04.11 03:09:54 | 000,816,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2013.04.11 03:09:54 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2013.04.10 20:35:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
[2013.04.10 20:34:44 | 000,352,784 | ---- | C] (Kaspersky Lab) -- C:\Windows\SysNative\drivers\1558031.sys
[2013.04.10 20:34:44 | 000,157,712 | ---- | C] (Kaspersky Lab) -- C:\Windows\SysNative\drivers\15580311.sys
[2013.04.10 20:34:44 | 000,040,464 | ---- | C] (Kaspersky Lab) -- C:\Windows\SysNative\drivers\15580312.sys
[2013.04.10 20:34:43 | 000,000,000 | ---D | C] -- C:\Users\Nisi\Desktop\DE-Cleaner powered by Kaspersky
[2013.04.10 20:30:00 | 000,000,000 | ---D | C] -- C:\Users\Nisi\AppData\Roaming\QuickScan
[2013.04.10 12:31:52 | 005,550,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2013.04.10 12:31:51 | 003,968,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
[2013.04.10 12:31:51 | 003,913,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
[2013.04.10 12:31:50 | 000,112,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\smss.exe
[2013.04.10 12:31:50 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\csrsrv.dll
[2013.04.10 12:31:47 | 000,006,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\apisetschema.dll
[2013.03.26 16:59:43 | 000,019,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\usb8023.sys
[2013.03.25 18:31:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
[2013.03.25 18:31:18 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2013.03.22 15:15:07 | 000,000,000 | ---D | C] -- C:\Users\Nisi\Documents\Dokumente vom USB STick
[2013.03.17 21:39:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
[2013.03.17 21:38:55 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2013.03.17 21:38:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Silverlight
[2013.03.16 19:38:00 | 000,000,000 | ---D | C] -- C:\Users\Nisi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
 
========== Files - Modified Within 30 Days ==========
 
[2013.04.12 00:22:07 | 000,000,000 | ---- | M] () -- C:\Users\Nisi\defogger_reenable
[2013.04.12 00:17:39 | 001,612,484 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013.04.12 00:17:39 | 000,696,870 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
[2013.04.12 00:17:39 | 000,652,148 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013.04.12 00:17:39 | 000,148,134 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
[2013.04.12 00:17:39 | 000,121,080 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013.04.12 00:17:15 | 000,377,856 | ---- | M] () -- C:\Users\Nisi\Desktop\gmer_2.1.19163.exe
[2013.04.12 00:17:10 | 000,050,477 | ---- | M] () -- C:\Users\Nisi\Desktop\Defogger.exe
[2013.04.12 00:16:44 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Nisi\Desktop\OTL.exe
[2013.04.12 00:13:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013.04.12 00:13:00 | 000,000,422 | ---- | M] () -- C:\Windows\tasks\SystemToolsDailyTest.job
[2013.04.12 00:09:30 | 000,021,072 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013.04.12 00:09:30 | 000,021,072 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013.04.12 00:00:56 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013.04.12 00:00:42 | 2064,252,927 | -HS- | M] () -- C:\hiberfil.sys
[2013.04.11 07:22:07 | 000,001,115 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2013.04.11 07:17:45 | 000,095,648 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
[2013.04.11 07:17:43 | 000,262,560 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\javaws.exe
[2013.04.11 07:17:43 | 000,174,496 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe
[2013.04.11 07:17:42 | 000,861,088 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\npDeployJava1.dll
[2013.04.11 07:17:42 | 000,174,496 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe
[2013.04.11 07:17:41 | 000,782,240 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\deployJava1.dll
[2013.04.11 07:13:26 | 000,693,976 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2013.04.11 07:13:26 | 000,073,432 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2013.04.11 03:45:16 | 000,349,888 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2013.04.04 14:50:32 | 000,025,928 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2013.04.02 13:40:15 | 000,000,564 | ---- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
[2013.03.25 18:31:53 | 000,001,912 | ---- | M] () -- C:\Windows\epplauncher.mif
[2013.03.20 19:57:26 | 709,350,934 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2013.03.19 08:04:06 | 005,550,424 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2013.03.19 07:46:56 | 000,043,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\csrsrv.dll
[2013.03.19 07:04:13 | 003,968,856 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
[2013.03.19 07:04:10 | 003,913,560 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
[2013.03.19 06:47:50 | 000,006,656 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\apisetschema.dll
[2013.03.19 05:06:33 | 000,112,640 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\smss.exe
[2013.03.16 19:47:13 | 000,000,218 | ---- | M] () -- C:\Users\Nisi\Desktop\Half-Life.url
[2013.03.16 19:38:00 | 000,000,219 | ---- | M] () -- C:\Users\Nisi\Desktop\Left 4 Dead 2.url
 
========== Files Created - No Company Name ==========
 
[2013.04.12 00:22:07 | 000,000,000 | ---- | C] () -- C:\Users\Nisi\defogger_reenable
[2013.04.12 00:17:14 | 000,377,856 | ---- | C] () -- C:\Users\Nisi\Desktop\gmer_2.1.19163.exe
[2013.04.12 00:17:10 | 000,050,477 | ---- | C] () -- C:\Users\Nisi\Desktop\Defogger.exe
[2013.04.11 07:22:07 | 000,001,115 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2013.04.11 06:51:50 | 000,000,884 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013.03.25 18:31:27 | 000,002,079 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2013.03.25 18:27:46 | 000,001,912 | ---- | C] () -- C:\Windows\epplauncher.mif
[2013.03.16 19:47:13 | 000,000,218 | ---- | C] () -- C:\Users\Nisi\Desktop\Half-Life.url
[2013.03.16 19:38:00 | 000,000,219 | ---- | C] () -- C:\Users\Nisi\Desktop\Left 4 Dead 2.url
[2013.01.02 21:52:14 | 000,003,590 | ---- | C] () -- C:\Users\Nisi\.TransferManager.db
[2012.10.05 10:57:04 | 000,000,917 | ---- | C] () -- C:\Windows\wiso.ini
[2012.06.13 16:48:47 | 000,016,098 | ---- | C] () -- C:\Windows\German2.ini
[2011.12.23 18:45:15 | 000,007,591 | ---- | C] () -- C:\Users\Nisi\AppData\Local\Resmon.ResmonCfg
[2011.12.20 12:56:39 | 000,000,400 | ---- | C] () -- C:\Windows\ODBC.INI
[2011.11.25 05:48:56 | 000,066,856 | ---- | C] () -- C:\Windows\SysWow64\SynTPEnhPS.dll
[2011.11.25 05:48:04 | 000,963,116 | ---- | C] () -- C:\Windows\SysWow64\igkrng600.bin
[2011.11.25 05:48:00 | 000,218,304 | ---- | C] () -- C:\Windows\SysWow64\igfcg600m.bin
[2011.11.25 05:47:59 | 000,056,832 | ---- | C] () -- C:\Windows\SysWow64\igdde32.dll
[2011.11.25 05:47:58 | 000,145,804 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng600.bin
[2011.11.25 05:47:57 | 013,903,872 | ---- | C] () -- C:\Windows\SysWow64\ig4icd32.dll
 
========== ZeroAccess Check ==========
 
[2009.07.14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012.06.09 07:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 06:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.21 05:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

< End of report >
         
Extras.txt
Code:
ATTFilter
OTL Extras logfile created on: 12.04.2013 00:22:43 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Nisi\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
7,90 Gb Total Physical Memory | 5,41 Gb Available Physical Memory | 68,45% Memory free
15,79 Gb Paging File | 12,78 Gb Available in Paging File | 80,95% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 679,00 Gb Total Space | 570,56 Gb Free Space | 84,03% Space Free | Partition Type: NTFS
 
Computer Name: NISI-PC | User Name: Nisi | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
 
[HKEY_USERS\S-1-5-21-4220994265-1922484629-2558833816-1001\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01  [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{13D97D88-D2E8-4CA1-9376-048A09F65DED}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | 
"{181A5E4A-5C2E-4FE4-8B33-98EA622CC92A}" = lport=9701 | protocol=6 | dir=in | name=syncup_tcp_9701 | 
"{18AC6FF6-8B2E-4527-80EB-37DABEAA3AFB}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{1A0A7359-9EA3-47FD-8502-04C0B0158C99}" = lport=137 | protocol=17 | dir=in | app=system | 
"{27713990-E831-4532-B1BD-22280D53F06B}" = lport=2869 | protocol=6 | dir=in | app=system | 
"{2B3AC4CE-7128-4A22-8C59-5466636028E2}" = rport=139 | protocol=6 | dir=out | app=system | 
"{3133DD8F-7C7B-4FB8-9586-D1B76D9213F5}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) | 
"{4019754F-5D69-4C42-8AB4-3A51DEB53789}" = lport=138 | protocol=17 | dir=in | app=system | 
"{490805C2-9298-40F1-B8FD-695568158CA2}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{583469EB-9D9F-4660-9D4D-F78804747A35}" = rport=445 | protocol=6 | dir=out | app=system | 
"{63CD405B-0D24-4D3E-BB67-A43796E75850}" = lport=10243 | protocol=6 | dir=in | app=system | 
"{6B86CB45-634C-41FB-9C78-973F4F202231}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) | 
"{6DD606EE-409F-48CC-AA87-0FFF0EB1B684}" = lport=9702 | protocol=6 | dir=in | name=syncup_tcp_9702 | 
"{7282BC63-B3D8-4B4F-94E9-416027E5E208}" = rport=10243 | protocol=6 | dir=out | app=system | 
"{7BA20356-48E9-49E4-A706-5C85FABD8991}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{8EC6F9FD-278F-49F8-8A09-6E38752A264B}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{9A935D45-6C85-4027-835F-62C5A9E3C162}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{AC6A3D4F-9DEC-41B9-B470-012083F36877}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{AF173F22-AE3A-49DC-B6CA-C68BB3A68E5D}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{B53DAA7A-BC41-4B23-9005-0FBE8597799C}" = rport=138 | protocol=17 | dir=out | app=system | 
"{B58A8717-31F3-4EA5-A345-AAB67D5478B0}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{BA7ECED6-C921-4F5E-975C-3E7E707C1DF0}" = rport=137 | protocol=17 | dir=out | app=system | 
"{C7954649-2F91-4F64-9350-36973FB0BC2C}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | 
"{CA912FD7-B9F5-422C-86E4-C82665C0CB59}" = lport=139 | protocol=6 | dir=in | app=system | 
"{D14A02B3-7272-48F0-A89E-81E737421A95}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{D8FCEF11-6AD1-40A3-A4A6-359ADB470998}" = lport=445 | protocol=6 | dir=in | app=system | 
"{E380D567-3494-4927-A9D0-BC90CEEC1E13}" = lport=9700 | protocol=6 | dir=in | name=syncup_tcp_9700 | 
"{F5E9E9D5-1DBA-426D-BB3B-7AA1B6431118}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{FD64EF5A-5BC7-49BE-BCB6-4FB4FCA8BDD9}" = lport=9700 | protocol=17 | dir=in | name=syncup_udp_9700 | 
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0091CA9A-CF6E-4D18-967C-2937847F9CA6}" = protocol=6 | dir=in | app=c:\program files (x86)\games\stronghold 2\stronghold2.exe | 
"{00B77DF7-F513-4374-8E1C-18FD22F77537}" = protocol=17 | dir=in | app=c:\program files (x86)\dell\stage remote\stageremote.exe | 
"{014DBAF2-CAC0-45B9-954F-DEC576B03C20}" = dir=in | app=c:\program files\intel\wifi\bin\pandhcpdns.exe | 
"{02A62DE1-5CCC-478A-86AD-1F3576BC8B31}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe | 
"{05AA6016-1713-470D-8390-546C0DA85EB5}" = protocol=6 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe | 
"{0D7C52D4-18FA-4E07-A952-CE7A698FDA45}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\cities xl 2012\citiesxl_2012.exe | 
"{134BB500-60F6-4574-A757-EF6F4471E630}" = dir=in | app=c:\program files (x86)\windows live\contacts\wlcomm.exe | 
"{1BED9E8D-4C4E-4F53-BEF4-05DEE5591E1C}" = protocol=6 | dir=out | app=system | 
"{22F33388-648B-401B-92E6-C5D8AF11F5AE}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steam.exe | 
"{29AF3861-AA42-4954-AB39-0B1E1142B1B7}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{2F159117-5813-4F33-851C-F9DF09A731D8}" = protocol=17 | dir=in | app=c:\program files (x86)\dell\stage remote\stageremoteservice.exe | 
"{30100AFB-BFAF-4C00-98C9-E858AA9FEE47}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\stronghold3\bin\win32_release\stronghold3.exe | 
"{34CEEAB9-1351-4348-B419-506B16A174DE}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 
"{3B761C6C-17E1-414A-8ADC-060BFDE59226}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe | 
"{3C9C9066-2B4E-4BD1-AF94-C0CD6ED5F597}" = protocol=6 | dir=in | app=c:\program files (x86)\dell\stage remote\stageremote.exe | 
"{43FD9297-A2E3-4155-9D88-406A5FF2AF34}" = protocol=6 | dir=in | app=c:\program files (x86)\dell\stage remote\installerhelp.exe | 
"{46356146-359E-4FB2-B4A4-670EEC409074}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | 
"{4957A5E9-DDD4-4958-9140-3801C3ABE06E}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\sherlock holmes the awakened - remastered\game.exe | 
"{4B2DFB45-AE3D-46D5-BFBD-1582B5AC677F}" = dir=in | app=c:\program files (x86)\itunes\itunes.exe | 
"{4EB6028D-0E34-4ACF-84CD-93B07D15A936}" = dir=in | app=c:\program files (x86)\windows live\mesh\moe.exe | 
"{5188F43D-23D6-48C9-945E-E833FC9E169B}" = dir=in | app=c:\program files (x86)\dell\videostage\videostage.exe | 
"{52218050-BAD6-42F0-9C9F-2A867EEA824F}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{5A0AD194-E4E9-453F-BE17-BEADB75E41B2}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\half-life\hl.exe | 
"{5C4679A1-3ADC-4C23-9A0B-58228FFB1BA8}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\cities xl 2012\citiesxl_2012.exe | 
"{5E872F11-56F0-40F0-8CB7-BC9EB7DFB77A}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\left 4 dead 2\left4dead2.exe | 
"{6014FF7B-326C-4E94-936C-FA604B13DCA1}" = protocol=6 | dir=in | app=c:\program files (x86)\dell\stage remote\dmr.exe | 
"{60A1B298-0C24-4F75-AF71-96DA64D39B8D}" = protocol=17 | dir=in | app=c:\program files (x86)\dell\stage remote\dmr.exe | 
"{60BBBE64-4912-4431-A537-4F02E16253BE}" = dir=in | app=c:\program files\dell stage\dell stage\stage_primary.exe | 
"{6177C54A-33D8-4700-9097-69D2D4999062}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | 
"{62CDAD45-A05B-46B2-8FAF-57F61F07CEE1}" = protocol=17 | dir=in | app=c:\program files (x86)\games\stronghold 2\stronghold2.exe | 
"{63E270B8-1EF1-4E76-8E7D-6073F025B6A9}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{63EB5150-EB17-45ED-9A1A-942BD2CBFC8D}" = protocol=6 | dir=in | app=c:\program files (x86)\dell\stage remote\controller.exe | 
"{6411E4B8-3B82-4038-8D24-9AB22B3280DE}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{643531FB-2A48-4BC6-B478-6D1586FBE8DE}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\left 4 dead 2\left4dead2.exe | 
"{65D174F6-88BC-4157-A40B-64FE39C9BFF3}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\stronghold3\bin\win32_release\stronghold3.exe | 
"{700F6398-F1FF-4746-9C9E-083E3520801E}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe | 
"{75E26F43-1E81-474F-BA68-19BE7B311F54}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\fr33k23\counter-strike source\hl2.exe | 
"{79BA8FD2-2FD3-40D2-B621-7C5C9D9C50ED}" = dir=in | app=c:\program files\dell stage\dell stage\accuweather\accuweather.exe | 
"{7A08A6D9-3EC5-487C-8AC7-7BAA83037879}" = dir=in | app=c:\program files (x86)\common files\apple\apple application support\webkit2webprocess.exe | 
"{7F201D55-BA3F-4D14-84B2-022953AE9BB9}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{7F693A3A-C0C3-451E-A08D-BCE5140826F1}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{87535652-8331-4C0F-A179-12C0A45F756F}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 
"{A597D212-32A8-42C9-A114-0101E99CE489}" = protocol=17 | dir=in | app=c:\program files (x86)\dell\stage remote\controller.exe | 
"{AAF92265-FDB7-4668-BEA2-D0E43B5315A3}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{ABAA28B1-C155-4A6A-903A-58E1A75E3614}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\half-life\hl.exe | 
"{AEF81752-2AC8-4BA7-9363-8AE69D3D998E}" = protocol=17 | dir=in | app=c:\program files (x86)\dell\stage remote\installerhelp.exe | 
"{B6A0611E-3AEA-4C07-9E1B-2C6E1FD9A843}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\fr33k23\counter-strike source\hl2.exe | 
"{BAD96B4F-DB4A-40EE-AFA8-0D08BD5A3F86}" = dir=in | app=c:\program files\dell stage\musicstage\musicstageengine.exe | 
"{C0268FCE-9BFB-4362-89FF-6DA1E38121C5}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{C463476D-36C1-4E4D-87E2-F0597C98DBE1}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | 
"{CB795453-B1C6-429D-8DA2-FDD2F8BE79F5}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{CD02B714-3970-4FEF-9684-46B80551B27F}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\sherlock holmes the mystery of the mummy\game.exe | 
"{CE66D31B-F111-4145-8315-C6EECED3EE94}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{D7E46624-A10F-4776-9432-C2F61327EB0A}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | 
"{DB63F771-43C4-4F35-8095-8A101E2D398F}" = protocol=6 | dir=in | app=c:\program files (x86)\dell\stage remote\stageremoteservice.exe | 
"{DF7165A2-C643-4D49-9EEC-0EF1C0E8813B}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe | 
"{DF9B5495-3490-4827-9A44-896BC6051A5B}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{E3A09FED-0BC6-4D59-86CE-CA973F842E13}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{E41D41C9-8B7C-4308-BE01-805BCBA0CA31}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\sherlock holmes the awakened - remastered\game.exe | 
"{F0337A31-BB2D-4992-BD80-31E42BDBF170}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\sherlock holmes the mystery of the mummy\game.exe | 
"{F2EE806D-5392-43DF-AC27-983A54570D47}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{F3C66FA6-1519-40C7-B36C-0244830B8CBC}" = protocol=17 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe | 
"{FBD1E205-4BE8-4BA8-B814-12357C9DBF29}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steam.exe | 
"{FDE64A7C-D409-464F-ACF8-D93C8EBB0300}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | 
"TCP Query User{64EACAE0-ED57-4735-8848-9031DDA7D1A4}C:\program files (x86)\steam\steamapps\common\left 4 dead 2\left4dead2.exe" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\left 4 dead 2\left4dead2.exe | 
"TCP Query User{870C584F-178C-4CFC-9BB6-D9A8F113EEBD}C:\program files (x86)\games\stronghold 2\stronghold2.exe" = protocol=6 | dir=in | app=c:\program files (x86)\games\stronghold 2\stronghold2.exe | 
"TCP Query User{FF38FCBB-997D-4934-8FFB-9A9CDF8EAEEA}C:\users\nisi\appdata\roaming\yxahe\noin.exe" = protocol=6 | dir=in | app=c:\users\nisi\appdata\roaming\yxahe\noin.exe | 
"UDP Query User{0FB47843-2673-4206-9CFD-74DC9DCB0228}C:\program files (x86)\steam\steamapps\common\left 4 dead 2\left4dead2.exe" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\left 4 dead 2\left4dead2.exe | 
"UDP Query User{30956970-65BD-4804-A089-D8CCD10E2FC9}C:\users\nisi\appdata\roaming\yxahe\noin.exe" = protocol=17 | dir=in | app=c:\users\nisi\appdata\roaming\yxahe\noin.exe | 
"UDP Query User{883AD48F-61D9-445A-983B-93DBE1F14A00}C:\program files (x86)\games\stronghold 2\stronghold2.exe" = protocol=17 | dir=in | app=c:\program files (x86)\games\stronghold 2\stronghold2.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0090A87C-3E0E-43D4-AA71-A71B06563A4A}" = Dell Support Center
"{1493B2AE-0261-47D2-B1AA-F4DAD0F6C48B}" = iTunes
"{1B8ABA62-74F0-47ED-B18C-A43128E591B8}" = Windows Live ID Sign-in Assistant
"{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" = Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
"{25FBDA9A-E868-4B3B-B9FF-D923818511A1}" = Intel(R) PROSet/Wireless WiFi-Software
"{26A24AE4-039D-4CA4-87B4-2F86416027FF}" = Java(TM) 6 Update 27 (64-bit)
"{26A24AE4-039D-4CA4-87B4-2F86417005FF}" = Java(TM) 7 Update 5 (64-bit)
"{350AA351-21FA-3270-8B7A-835434E766AD}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{60B2315F-680F-4EB3-B8DD-CCDC86A7CCAB}" = Roxio File Backup
"{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour
"{7446FE8D-C1F9-4D42-AAAE-5DBCE58605A6}" = Apple Mobile Device Support
"{7CE8BE79-ABC3-4B2C-9543-28ED2B0A9EA8}" = Intel(R) PROSet/Wireless Software for Bluetooth(R) Technology
"{87CF757E-C1F1-4D22-865C-00C6950B5258}" = Quickset64
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}" = Dell Edoc Viewer
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9D6DFAD6-09E5-445E-A4B5-A388FEEBD90D}" = RBVirtualFolder64Inst
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision" = NVIDIA 3D Vision Treiber 306.97
"{B2FE1952-0186-46c3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Systemsteuerung 306.97
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Grafiktreiber 306.97
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Optimus" = NVIDIA Optimus 1.10.8
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.10.8
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{B77EFA0B-9BD3-4122-9F9A-15A963B5EA24}" = Überwachungstool für die Intel® Turbo-Boost-Technik 2.0
"{C1E4D639-4A33-4314-809E-89BD0EF48522}" = Windows Home Server 2011 Connector
"{D07A61E5-A59C-433C-BCBD-22025FA2287B}" = Windows Live Language Selector
"{D5876F0A-B2E9-4376-B9F5-CD47B7B8D820}" = Windows Live Remote Client Resources
"{D930AF5C-5193-4616-887D-B974CEFC4970}" = Windows Live Remote Service Resources
"{D954C6C2-544B-4091-A47F-11E77162883E}" = Microsoft Security Client
"{DA0D6B4B-EED6-4EE8-9ECF-0F7D83F5E0CE}" = Lights-Out Client x64
"{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter
"{DF6D988A-EEA0-4277-AAB8-158E086E439B}" = Windows Live Remote Client
"{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}" = Windows Live Remote Service
"{EF79C448-6946-4D71-8134-03407888C054}" = Shared C Run-time for x64
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Dell Support Center" = Dell Support Center
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft Security Client" = Microsoft Security Essentials
"ProInst" = Intel PROSet Wireless
"SynTPDeinstKey" = Synaptics Pointing Device Driver
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0CC1DAFB-40C8-4903-953D-471E541477C7}" = WISO Steuer 2012
"{0ED7EE95-6A97-47AA-AD73-152C08A15B04}" = Dell DataSafe Local Backup
"{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1
"{16D2C649-CBA8-44EE-B730-12584667D487}" = Stronghold 2 Deluxe
"{1DDB95A4-FD7B-4517-B3F1-2BCAA96879E6}" = Windows Live Writer Resources
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{237CCB62-8454-43E3-B158-3ACD0134852E}" = High-Definition Video Playback
"{2436F2A8-4B7E-4B6C-AE4E-604C84AA6A4F}" = Nero Core Components 10
"{26A24AE4-039D-4CA4-87B4-2F83216027FF}" = Java(TM) 6 Update 27
"{26A24AE4-039D-4CA4-87B4-2F83217017FF}" = Java 7 Update 17
"{3250260C-7A95-4632-893B-89657EB5545B}" = PhotoShowExpress
"{3255BC3F-32BA-41ED-93A0-B9AEB6CDD9E6}" = Dell MusicStage
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{37B33B16-2535-49E7-8990-32668708A0A3}" = Windows Live UX Platform Language Pack
"{40F06490-8C14-43AA-99D3-EEEFDBAC3CFC}" = SyncUP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{523B2B1B-D8DB-4B41-90FF-C4D799E2758A}" = Nero ControlCenter 10 Help (CHM)
"{56A0DD94-47D9-4AC8-B5A1-8A8CA77C4B89}" = Dell Stage
"{5A06423A-210C-49FB-950E-CB0EB8C5CEC7}" = Roxio BackOnTrack
"{63EC2120-1742-4625-AA47-C6A8AEC9C64C}" = Apple Application Support
"{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel(R) Management Engine Components
"{65BB0407-4CC8-4DC7-952E-3EEFDF05602A}" = Nero Update
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{6DFB899F-17A2-48F0-A533-ED8D6866CF38}" = Nero Control Center 10
"{6F0BBEFE-BE1C-419B-BA1F-D36C9E7915BC}" = Roxio Creator Starter
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7746BFAA-2B5D-4FFD-A0E8-4558F4668105}" = Roxio Burn
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}" = Dell Getting Started Guide
"{7EC66A95-AC2D-4127-940B-0445A526AB2F}" = Dell DataSafe Online
"{7FB00B6B-6843-97EC-EED6-78BD6D35370A}" = Zinio Reader 4
"{820B6609-4C97-3A2B-B644-573B06A0F0CC}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{859D4022-B76D-40DE-96EF-C90CDA263F44}" = Windows Live Writer
"{873E4648-6F6E-47F6-A7B2-A6F8DFABDCE6}" = Windows Live Messenger
"{87434D51-51DB-4109-B68F-A829ECDCF380}" = AccelerometerP11
"{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91120407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{95140000-0070-0000-0000-0000000FF1CE}" = Microsoft Office 2010
"{9A00EC4E-27E1-42C4-98DD-662F32AC8870}" = Sonic CinePlayer Decoder Pack
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{A121EEDE-C68F-461D-91AA-D48BA226AF1C}" = Roxio Activation Module
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A8B88634-7F90-402F-B66A-86429755F6A5}" = eBay
"{A9668246-FB70-4103-A1E3-66C9BC2EFB49}" = Dell DataSafe Local Backup - Support Software
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AC76BA86-7AD7-FFFF-7B44-AA0000000001}" = Adobe Reader X (10.1.5) MUI
"{ACFBE99B-6981-4513-B17E-A2683CEB9EE5}" = Windows Live Mesh
"{AF4D3C63-009B-4A17-B02E-D395065DD3F0}" = Dell Stage Remote
"{AF9E97C1-7431-426D-A8D5-ABE40995C0B1}" = DirectX 9 Runtime
"{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
"{B113D18C-67B0-4FB7-B329-E89B66194AE6}" = Windows Live Fotogalerie
"{B1239994-A850-44E2-BED8-E70A21124E16}" = Windows Live Mail
"{BD136CE7-6666-4273-A056-8D92F8625AAB}" = Sun ODF Plugin for Microsoft Office 3.2
"{C2AB7DC4-489E-4BE9-887A-52262FBADBE0}" = Windows Live Photo Common
"{C5398A89-516C-4DAF-BA07-EE7949090E56}" = Windows Live Mesh ActiveX control for remote connections
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{D92C9CCE-E5F0-4125-977A-0590F3225B74}" = SyncUP
"{DCE0E79A-B9AC-41AC-98C1-7EF0538BCA7F}" = Dell VideoStage 
"{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E4335E82-17B3-460F-9E70-39D9BC269DB3}" = Dell PhotoStage
"{E4E88B54-4777-4659-967A-2EED1E6AFD83}" = Windows Live Movie Maker
"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
"{EF56258E-0326-48C5-A86C-3BAC26FC15DF}" = Roxio Creator Starter
"{F06B5C4C-8D2E-4B24-9D43-7A45EEC6C878}" = Roxio Creator Starter
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Processor Graphics
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{F5CB822F-B365-43D1-BCC0-4FDA1A2017A7}" = Nero 10 Movie ThemePack Basic
"{F8A9085D-4C7A-41a9-8A77-C8998A96C421}" = Intel(R) Control Center
"{F95E4EE0-0C6E-4273-B6B9-91FD6F071D76}" = Windows Live Essentials
"350.000 Premium Cliparts_is1" = DATA BECKER 350.000 Premium Cliparts
"A Vampyre Story" = A Vampyre Story
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"Dell Webcam Central" = Dell Webcam Central
"InstallShield_{DCE0E79A-B9AC-41AC-98C1-7EF0538BCA7F}" = Dell VideoStage 
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.75.0.1300
"Mozilla Firefox 14.0.1 (x86 de)" = Mozilla Firefox 14.0.1 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Network Print Monitor" = Network Print Monitor for Windows
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"PriceGong" = PriceGong 2.6.10
"ProInst" = Intel PROSet Wireless
"ProtectDisc Driver 10" = ProtectDisc Helper Driver 10
"Steam App 11130" = Sherlock Holmes: The Mystery of The Mummy
"Steam App 11140" = Sherlock Holmes: The Awakened - Remastered
"Steam App 201760" = Cities XL 2012
"Steam App 240" = Counter-Strike: Source
"Steam App 47400" = Stronghold 3
"Steam App 48000" = LIMBO
"Steam App 550" = Left 4 Dead 2
"Steam App 70" = Half-Life
"WinLiveSuite" = Windows Live Essentials
"ZinioReader4" = Zinio Reader 4
 
========== HKEY_USERS Uninstall List ==========
 
[HKEY_USERS\S-1-5-21-4220994265-1922484629-2558833816-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{D6CC2FAF-F827-4091-96A1-D32CC9B69C79}" = WISO Steuer-Sparbuch 2013
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 03.04.2013 11:11:45 | Computer Name = Nisi-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 10046
 
Error - 03.04.2013 11:11:45 | Computer Name = Nisi-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 10046
 
Error - 03.04.2013 11:11:46 | Computer Name = Nisi-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
 
Error - 03.04.2013 11:11:46 | Computer Name = Nisi-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 11045
 
Error - 03.04.2013 11:11:46 | Computer Name = Nisi-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 11045
 
Error - 03.04.2013 13:52:27 | Computer Name = Nisi-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
 
Error - 03.04.2013 13:52:27 | Computer Name = Nisi-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 9652000
 
Error - 03.04.2013 13:52:27 | Computer Name = Nisi-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 9652000
 
Error - 03.04.2013 13:52:28 | Computer Name = Nisi-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
 
Error - 03.04.2013 13:52:28 | Computer Name = Nisi-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 9653045
 
Error - 03.04.2013 13:52:28 | Computer Name = Nisi-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 9653045
 
[ System Events ]
Error - 10.04.2013 21:48:01 | Computer Name = Nisi-PC | Source = Service Control Manager | ID = 7038
Description = Der Dienst "nvUpdatusService" konnte sich nicht als ".\UpdatusUser"
 mit dem aktuellen Kennwort aufgrund des folgenden Fehlers anmelden:   %%1330    Vergewissern
 Sie sich, dass der Dienst richtig konfiguriert ist im Dienste-Snap-In in der Microsoft
 Management Console (MMC).
 
Error - 10.04.2013 21:48:01 | Computer Name = Nisi-PC | Source = Service Control Manager | ID = 7000
Description = Der Dienst "NVIDIA Update Service Daemon" wurde aufgrund folgenden
 Fehlers nicht gestartet:   %%1069
 
Error - 10.04.2013 23:41:38 | Computer Name = Nisi-PC | Source = Service Control Manager | ID = 7011
Description = Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung
 von Dienst SftService erreicht.
 
Error - 10.04.2013 23:42:08 | Computer Name = Nisi-PC | Source = Service Control Manager | ID = 7011
Description = Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung
 von Dienst SftService erreicht.
 
Error - 11.04.2013 00:45:10 | Computer Name = Nisi-PC | Source = DCOM | ID = 10010
Description = 
 
Error - 11.04.2013 03:40:24 | Computer Name = Nisi-PC | Source = Service Control Manager | ID = 7038
Description = Der Dienst "nvUpdatusService" konnte sich nicht als ".\UpdatusUser"
 mit dem aktuellen Kennwort aufgrund des folgenden Fehlers anmelden:   %%1330    Vergewissern
 Sie sich, dass der Dienst richtig konfiguriert ist im Dienste-Snap-In in der Microsoft
 Management Console (MMC).
 
Error - 11.04.2013 03:40:24 | Computer Name = Nisi-PC | Source = Service Control Manager | ID = 7000
Description = Der Dienst "NVIDIA Update Service Daemon" wurde aufgrund folgenden
 Fehlers nicht gestartet:   %%1069
 
Error - 11.04.2013 18:04:23 | Computer Name = Nisi-PC | Source = Service Control Manager | ID = 7038
Description = Der Dienst "nvUpdatusService" konnte sich nicht als ".\UpdatusUser"
 mit dem aktuellen Kennwort aufgrund des folgenden Fehlers anmelden:   %%1330    Vergewissern
 Sie sich, dass der Dienst richtig konfiguriert ist im Dienste-Snap-In in der Microsoft
 Management Console (MMC).
 
Error - 11.04.2013 18:04:23 | Computer Name = Nisi-PC | Source = Service Control Manager | ID = 7000
Description = Der Dienst "NVIDIA Update Service Daemon" wurde aufgrund folgenden
 Fehlers nicht gestartet:   %%1069
 
Error - 11.04.2013 18:11:10 | Computer Name = Nisi-PC | Source = Microsoft Antimalware | ID = 2001
Description = Beim Aktualisieren der Signaturen wurde von %%860 ein Fehler festgestellt.

	Neue
 Signaturversion:      Vorherige Signaturversion: 1.147.1550.0     Aktualisierungsquelle: 
%%859     Aktualisierungsphase: %%852     Quellpfad: hxxp://www.microsoft.com     Signaturtyp: 
%%800     Aktualisierungstyp: %%803     Benutzer: NT-AUTORITÄT\SYSTEM     Aktuelle Modulversion:
      Vorherige Modulversion: 1.1.9302.0     Fehlercode: 0x8024402c     Fehlerbeschreibung: Unerwartetes
 Problem bei der Überprüfung auf Updates. Informationen zum Installieren von Updates
 oder zur Problembehandlung finden Sie unter "Hilfe und Support". 
 
[ WSSG Events ]
Error - 20.02.2012 04:55:34 | Computer Name = Nisi-PC | Source = Windows Server | ID = 268370434
Description = Der Sicherungsauftrag 0 auf "" war nicht erfolgreich.   Grund: ServerUnreachable,
 System.String[]
 
Error - 20.02.2012 09:07:25 | Computer Name = Nisi-PC | Source = Windows Server | ID = 268370434
Description = Der Sicherungsauftrag 0 auf "" war nicht erfolgreich.   Grund: ServerUnreachable,
 System.String[]
 
Error - 21.02.2012 03:50:00 | Computer Name = Nisi-PC | Source = Windows Server | ID = 268370434
Description = Der Sicherungsauftrag 0 auf "" war nicht erfolgreich.   Grund: ServerUnreachable,
 System.String[]
 
Error - 10.03.2012 06:29:29 | Computer Name = Nisi-PC | Source = Windows Server | ID = 268370434
Description = Der Sicherungsauftrag 0 auf "" war nicht erfolgreich.   Grund: ServerUnreachable,
 System.String[]
 
Error - 12.03.2012 09:55:54 | Computer Name = Nisi-PC | Source = Windows Server | ID = 268370434
Description = Der Sicherungsauftrag 0 auf "" war nicht erfolgreich.   Grund: ServerUnreachable,
 System.String[]
 
Error - 13.03.2012 06:55:30 | Computer Name = Nisi-PC | Source = Windows Server | ID = 268370434
Description = Der Sicherungsauftrag 0 auf "" war nicht erfolgreich.   Grund: ServerUnreachable,
 System.String[]
 
Error - 23.03.2012 13:19:16 | Computer Name = Nisi-PC | Source = Windows Server | ID = 268370434
Description = Der Sicherungsauftrag 0 auf "" war nicht erfolgreich.   Grund: ServerUnreachable,
 System.String[]
 
Error - 23.03.2012 14:04:15 | Computer Name = Nisi-PC | Source = Windows Server | ID = 268370434
Description = Der Sicherungsauftrag 0 auf "" war nicht erfolgreich.   Grund: ServerUnreachable,
 System.String[]
 
Error - 04.04.2012 05:23:18 | Computer Name = Nisi-PC | Source = Windows Server | ID = 268370434
Description = Der Sicherungsauftrag 0 auf "" war nicht erfolgreich.   Grund: ServerUnreachable,
 System.String[]
 
Error - 19.04.2012 12:45:56 | Computer Name = Nisi-PC | Source = Windows Server | ID = 268370434
Description = Der Sicherungsauftrag 0 auf "" war nicht erfolgreich.   Grund: ServerUnreachable,
 System.String[]
 
 
< End of report >
         
__________________

Alt 12.04.2013, 18:41   #4
Malibouman
 
Telekom Brief Zeus/Zbot - Standard

Telekom Brief Zeus/Zbot



Habe zu spät gemerkt das Malwarebytes noch läuft, soll ich nochmal ohne Malwarebytes loggen?
Gmer.txt
Code:
ATTFilter
GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-04-12 02:07:09
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST975042 rev.0002 698,64GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\Nisi\AppData\Local\Temp\pxldqpod.sys


---- User code sections - GMER 2.1 ----

.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1992] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW                                0000000076b9efe0 5 bytes JMP 000000016fff0148
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1992] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx                              0000000076bc99b0 7 bytes JMP 000000016fff00d8
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1992] C:\Windows\system32\kernel32.dll!K32GetModuleInformation                              0000000076bd94d0 5 bytes JMP 000000016fff0180
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1992] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW                              0000000076bd9640 5 bytes JMP 000000016fff0110
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1992] C:\Windows\system32\kernel32.dll!RegSetValueExA                                       0000000076bfa500 7 bytes JMP 000000016fff01b8
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1992] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW                                   000007fefd293460 7 bytes JMP 000007fffd2800d8
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1992] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                     000007fefd299940 6 bytes JMP 000007fffd280148
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1992] C:\Windows\system32\KERNELBASE.dll!FreeLibrary                                        000007fefd299fb0 5 bytes JMP 000007fffd280180
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1992] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW                                 000007fefd29a150 5 bytes JMP 000007fffd280110
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1992] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo                                  000007fefd6989e0 8 bytes JMP 000007fffd2801f0
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1992] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList                                000007fefd69be40 8 bytes JMP 000007fffd2801b8
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1992] C:\Windows\system32\ole32.dll!CoCreateInstance                                        000007fefd807490 11 bytes JMP 000007fffd280228
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1992] C:\Windows\system32\ole32.dll!CoSetProxyBlanket                                       000007fefd81bf00 7 bytes JMP 000007fffd280260
.text   C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2600] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69                  0000000076f31465 2 bytes [F3, 76]
.text   C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2600] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155                 0000000076f314bb 2 bytes [F3, 76]
.text   ...                                                                                                                                                  * 2
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[2372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                       0000000076f31465 2 bytes [F3, 76]
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[2372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                      0000000076f314bb 2 bytes [F3, 76]
.text   ...                                                                                                                                                  * 2
.text   C:\Program Files (x86)\Freetec\SystemStore\SystemStore.exe[3060] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69                             0000000076f31465 2 bytes [F3, 76]
.text   C:\Program Files (x86)\Freetec\SystemStore\SystemStore.exe[3060] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155                            0000000076f314bb 2 bytes [F3, 76]
.text   ...                                                                                                                                                  * 2
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[4368] C:\Windows\syswow64\kernel32.dll!RegSetValueExA                                  0000000074801429 7 bytes JMP 00000001743b128f
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[4368] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW                         000000007481b223 5 bytes JMP 00000001743b159b
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[4368] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx                         00000000748988f4 7 bytes JMP 00000001743b1339
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[4368] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation                         0000000074898979 5 bytes JMP 00000001743b16b8
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[4368] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW                           0000000074898ccf 5 bytes JMP 00000001743b101e
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[4368] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                              0000000074de1d1b 5 bytes JMP 00000001743b11d1
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[4368] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW                            0000000074de1dc9 5 bytes JMP 00000001743b1019
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[4368] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                0000000074de2aa4 5 bytes JMP 00000001743b154b
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[4368] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                   0000000074de2d0a 5 bytes JMP 00000001743b1276
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[4368] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList                           00000000760ee9a2 5 bytes JMP 00000001743b15b4
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[4368] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo                             00000000760eebdc 5 bytes JMP 00000001743b119a
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[4368] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket                                  00000000749e5ea5 5 bytes JMP 00000001743b15e6
.text   C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[4368] C:\Windows\syswow64\ole32.dll!CoCreateInstance                                   0000000074a19d0b 5 bytes JMP 00000001743b122b
.text   C:\Windows\system32\Dwm.exe[1680] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW                                                                000007fefd293460 7 bytes JMP 000007fffd2800d8
.text   C:\Windows\system32\Dwm.exe[1680] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                  000007fefd299940 6 bytes JMP 000007fffd280148
.text   C:\Windows\system32\Dwm.exe[1680] C:\Windows\system32\KERNELBASE.dll!FreeLibrary                                                                     000007fefd299fb0 5 bytes JMP 000007fffd280180
.text   C:\Windows\system32\Dwm.exe[1680] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW                                                              000007fefd29a150 5 bytes JMP 000007fffd280110
.text   C:\Windows\system32\Dwm.exe[1680] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo                                                               000007fefd6989e0 8 bytes JMP 000007fffd2801f0
.text   C:\Windows\system32\Dwm.exe[1680] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList                                                             000007fefd69be40 8 bytes JMP 000007fffd2801b8
.text   C:\Windows\system32\Dwm.exe[1680] C:\Windows\system32\dxgi.dll!CreateDXGIFactory                                                                     000007fee78e4da4 7 bytes JMP 000007ffe78d00d8
.text   C:\Windows\system32\Dwm.exe[1680] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1                                                                    000007fee7909af4 7 bytes JMP 000007ffe78d0110
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[300] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW                                            0000000076b9efe0 5 bytes JMP 000000016fff0148
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[300] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx                                          0000000076bc99b0 7 bytes JMP 000000016fff00d8
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[300] C:\Windows\system32\kernel32.dll!K32GetModuleInformation                                          0000000076bd94d0 5 bytes JMP 000000016fff0180
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[300] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW                                          0000000076bd9640 5 bytes JMP 000000016fff0110
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[300] C:\Windows\system32\kernel32.dll!RegSetValueExA                                                   0000000076bfa500 7 bytes JMP 000000016fff01b8
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[300] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW                                               000007fefd293460 7 bytes JMP 000007fffd2800d8
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[300] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                 000007fefd299940 6 bytes JMP 000007fffd280148
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[300] C:\Windows\system32\KERNELBASE.dll!FreeLibrary                                                    000007fefd299fb0 5 bytes JMP 000007fffd280180
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[300] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW                                             000007fefd29a150 5 bytes JMP 000007fffd280110
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[300] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo                                              000007fefd6989e0 8 bytes JMP 000007fffd2801f0
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[300] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList                                            000007fefd69be40 8 bytes JMP 000007fffd2801b8
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[300] C:\Windows\system32\ole32.dll!CoCreateInstance                                                    000007fefd807490 11 bytes JMP 000007fffd280228
.text   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[300] C:\Windows\system32\ole32.dll!CoSetProxyBlanket                                                   000007fefd81bf00 7 bytes JMP 000007fffd280260
.text   C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4172] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW                                        0000000076b9efe0 5 bytes JMP 000000016fff0148
.text   C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4172] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx                                      0000000076bc99b0 7 bytes JMP 000000016fff00d8
.text   C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4172] C:\Windows\system32\kernel32.dll!K32GetModuleInformation                                      0000000076bd94d0 5 bytes JMP 000000016fff0180
.text   C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4172] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW                                      0000000076bd9640 5 bytes JMP 000000016fff0110
.text   C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4172] C:\Windows\system32\kernel32.dll!RegSetValueExA                                               0000000076bfa500 7 bytes JMP 000000016fff01b8
.text   C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4172] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW                                           000007fefd293460 7 bytes JMP 000007fffd2800d8
.text   C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4172] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                             000007fefd299940 6 bytes JMP 000007fffd280148
.text   C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4172] C:\Windows\system32\KERNELBASE.dll!FreeLibrary                                                000007fefd299fb0 5 bytes JMP 000007fffd280180
.text   C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4172] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW                                         000007fefd29a150 5 bytes JMP 000007fffd280110
.text   C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4172] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo                                          000007fefd6989e0 8 bytes JMP 000007fffd2801f0
.text   C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4172] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList                                        000007fefd69be40 8 bytes JMP 000007fffd2801b8
.text   C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4172] C:\Windows\system32\ole32.dll!CoCreateInstance                                                000007fefd807490 11 bytes JMP 000007fffd280228
.text   C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4172] C:\Windows\system32\ole32.dll!CoSetProxyBlanket                                               000007fefd81bf00 7 bytes JMP 000007fffd280260
.text   C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2660] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW                                          0000000076b9efe0 5 bytes JMP 000000016fff0148
.text   C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2660] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx                                        0000000076bc99b0 7 bytes JMP 000000016fff00d8
.text   C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2660] C:\Windows\system32\kernel32.dll!K32GetModuleInformation                                        0000000076bd94d0 5 bytes JMP 000000016fff0180
.text   C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2660] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW                                        0000000076bd9640 5 bytes JMP 000000016fff0110
.text   C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2660] C:\Windows\system32\kernel32.dll!RegSetValueExA                                                 0000000076bfa500 7 bytes JMP 000000016fff01b8
.text   C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2660] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW                                             000007fefd293460 7 bytes JMP 000007fffd2800d8
.text   C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2660] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                               000007fefd299940 6 bytes JMP 000007fffd280148
.text   C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2660] C:\Windows\system32\KERNELBASE.dll!FreeLibrary                                                  000007fefd299fb0 5 bytes JMP 000007fffd280180
.text   C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2660] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW                                           000007fefd29a150 5 bytes JMP 000007fffd280110
.text   C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2660] C:\Windows\system32\ole32.dll!CoCreateInstance                                                  000007fefd807490 11 bytes JMP 000007fffd280228
.text   C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2660] C:\Windows\system32\ole32.dll!CoSetProxyBlanket                                                 000007fefd81bf00 7 bytes JMP 000007fffd280260
.text   C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2660] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo                                            000007fefd6989e0 8 bytes JMP 000007fffd2801f0
.text   C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[2660] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList                                          000007fefd69be40 8 bytes JMP 000007fffd2801b8
.text   C:\Windows\System32\igfxpers.exe[3164] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW                                                        0000000076b9efe0 5 bytes JMP 000000016fff0148
.text   C:\Windows\System32\igfxpers.exe[3164] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx                                                      0000000076bc99b0 7 bytes JMP 000000016fff00d8
.text   C:\Windows\System32\igfxpers.exe[3164] C:\Windows\system32\kernel32.dll!K32GetModuleInformation                                                      0000000076bd94d0 5 bytes JMP 000000016fff0180
.text   C:\Windows\System32\igfxpers.exe[3164] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW                                                      0000000076bd9640 5 bytes JMP 000000016fff0110
.text   C:\Windows\System32\igfxpers.exe[3164] C:\Windows\system32\kernel32.dll!RegSetValueExA                                                               0000000076bfa500 7 bytes JMP 000000016fff01b8
.text   C:\Windows\System32\igfxpers.exe[3164] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW                                                           000007fefd293460 7 bytes JMP 000007fffd2800d8
.text   C:\Windows\System32\igfxpers.exe[3164] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                             000007fefd299940 6 bytes JMP 000007fffd280148
.text   C:\Windows\System32\igfxpers.exe[3164] C:\Windows\system32\KERNELBASE.dll!FreeLibrary                                                                000007fefd299fb0 5 bytes JMP 000007fffd280180
.text   C:\Windows\System32\igfxpers.exe[3164] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW                                                         000007fefd29a150 5 bytes JMP 000007fffd280110
.text   C:\Windows\System32\igfxpers.exe[3164] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo                                                          000007fefd6989e0 8 bytes JMP 000007fffd2801f0
.text   C:\Windows\System32\igfxpers.exe[3164] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList                                                        000007fefd69be40 8 bytes JMP 000007fffd2801b8
.text   C:\Windows\System32\igfxpers.exe[3164] C:\Windows\system32\ole32.dll!CoCreateInstance                                                                000007fefd807490 11 bytes JMP 000007fffd280228
.text   C:\Windows\System32\igfxpers.exe[3164] C:\Windows\system32\ole32.dll!CoSetProxyBlanket                                                               000007fefd81bf00 7 bytes JMP 000007fffd280260
.text   C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe[4692] C:\Windows\syswow64\kernel32.dll!RegSetValueExA                   0000000074801429 7 bytes JMP 00000001743b128f
.text   C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe[4692] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW          000000007481b223 5 bytes JMP 00000001743b159b
.text   C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe[4692] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx          00000000748988f4 7 bytes JMP 00000001743b1339
.text   C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe[4692] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation          0000000074898979 5 bytes JMP 00000001743b16b8
.text   C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe[4692] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW            0000000074898ccf 5 bytes JMP 00000001743b101e
.text   C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe[4692] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW               0000000074de1d1b 5 bytes JMP 00000001743b11d1
.text   C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe[4692] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW             0000000074de1dc9 5 bytes JMP 00000001743b1019
.text   C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe[4692] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                 0000000074de2aa4 5 bytes JMP 00000001743b154b
.text   C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe[4692] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                    0000000074de2d0a 5 bytes JMP 00000001743b1276
.text   C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe[4692] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList            00000000760ee9a2 5 bytes JMP 00000001743b15b4
.text   C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe[4692] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo              00000000760eebdc 5 bytes JMP 00000001743b119a
.text   C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe[4692] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket                   00000000749e5ea5 5 bytes JMP 00000001743b15e6
.text   C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe[4692] C:\Windows\syswow64\ole32.dll!CoCreateInstance                    0000000074a19d0b 5 bytes JMP 00000001743b122b
.text   C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[3000] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW                         0000000076b9efe0 5 bytes JMP 000000016fff0148
.text   C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[3000] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx                       0000000076bc99b0 7 bytes JMP 000000016fff00d8
.text   C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[3000] C:\Windows\system32\kernel32.dll!K32GetModuleInformation                       0000000076bd94d0 5 bytes JMP 000000016fff0180
.text   C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[3000] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW                       0000000076bd9640 5 bytes JMP 000000016fff0110
.text   C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[3000] C:\Windows\system32\kernel32.dll!RegSetValueExA                                0000000076bfa500 7 bytes JMP 000000016fff01b8
.text   C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[3000] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW                            000007fefd293460 7 bytes JMP 000007fffd2800d8
.text   C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[3000] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                              000007fefd299940 6 bytes JMP 000007fffd280148
.text   C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[3000] C:\Windows\system32\KERNELBASE.dll!FreeLibrary                                 000007fefd299fb0 5 bytes JMP 000007fffd280180
.text   C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[3000] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW                          000007fefd29a150 5 bytes JMP 000007fffd280110
.text   C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[3000] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo                           000007fefd6989e0 8 bytes JMP 000007fffd2801f0
.text   C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[3000] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList                         000007fefd69be40 8 bytes JMP 000007fffd2801b8
.text   C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[3000] C:\Windows\system32\ole32.dll!CoCreateInstance                                 000007fefd807490 11 bytes JMP 000007fffd280228
.text   C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[3000] C:\Windows\system32\ole32.dll!CoSetProxyBlanket                                000007fefd81bf00 7 bytes JMP 000007fffd280260
.text   C:\Program Files\Dell\QuickSet\quickset.exe[4616] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW                                             0000000076b9efe0 5 bytes JMP 000000016fff0148
.text   C:\Program Files\Dell\QuickSet\quickset.exe[4616] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx                                           0000000076bc99b0 7 bytes JMP 000000016fff00d8
.text   C:\Program Files\Dell\QuickSet\quickset.exe[4616] C:\Windows\system32\kernel32.dll!K32GetModuleInformation                                           0000000076bd94d0 5 bytes JMP 000000016fff0180
.text   C:\Program Files\Dell\QuickSet\quickset.exe[4616] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW                                           0000000076bd9640 5 bytes JMP 000000016fff0110
.text   C:\Program Files\Dell\QuickSet\quickset.exe[4616] C:\Windows\system32\kernel32.dll!RegSetValueExA                                                    0000000076bfa500 7 bytes JMP 000000016fff01b8
.text   C:\Program Files\Dell\QuickSet\quickset.exe[4616] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW                                                000007fefd293460 7 bytes JMP 000007fffd2800d8
.text   C:\Program Files\Dell\QuickSet\quickset.exe[4616] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                  000007fefd299940 6 bytes JMP 000007fffd280148
.text   C:\Program Files\Dell\QuickSet\quickset.exe[4616] C:\Windows\system32\KERNELBASE.dll!FreeLibrary                                                     000007fefd299fb0 5 bytes JMP 000007fffd280180
.text   C:\Program Files\Dell\QuickSet\quickset.exe[4616] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW                                              000007fefd29a150 5 bytes JMP 000007fffd280110
.text   C:\Program Files\Dell\QuickSet\quickset.exe[4616] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo                                               000007fefd6989e0 8 bytes JMP 000007fffd2801f0
.text   C:\Program Files\Dell\QuickSet\quickset.exe[4616] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList                                             000007fefd69be40 8 bytes JMP 000007fffd2801b8
.text   C:\Program Files\Dell\QuickSet\quickset.exe[4616] C:\Windows\system32\ole32.dll!CoCreateInstance                                                     000007fefd807490 11 bytes JMP 000007fffd280228
.text   C:\Program Files\Dell\QuickSet\quickset.exe[4616] C:\Windows\system32\ole32.dll!CoSetProxyBlanket                                                    000007fefd81bf00 7 bytes JMP 000007fffd280260
.text   C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe[4892] C:\Windows\syswow64\kernel32.dll!RegSetValueExA                                       0000000074801429 7 bytes JMP 00000001743b128f
.text   C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe[4892] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW                              000000007481b223 5 bytes JMP 00000001743b159b
.text   C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe[4892] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx                              00000000748988f4 7 bytes JMP 00000001743b1339
.text   C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe[4892] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation                              0000000074898979 5 bytes JMP 00000001743b16b8
.text   C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe[4892] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW                                0000000074898ccf 5 bytes JMP 00000001743b101e
.text   C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe[4892] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                                   0000000074de1d1b 5 bytes JMP 00000001743b11d1
.text   C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe[4892] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW                                 0000000074de1dc9 5 bytes JMP 00000001743b1019
.text   C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe[4892] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                     0000000074de2aa4 5 bytes JMP 00000001743b154b
.text   C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe[4892] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                        0000000074de2d0a 5 bytes JMP 00000001743b1276
.text   C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe[4892] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList                                00000000760ee9a2 5 bytes JMP 00000001743b15b4
.text   C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe[4892] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo                                  00000000760eebdc 5 bytes JMP 00000001743b119a
.text   C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe[4892] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket                                       00000000749e5ea5 5 bytes JMP 00000001743b15e6
.text   C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe[4892] C:\Windows\syswow64\ole32.dll!CoCreateInstance                                        0000000074a19d0b 5 bytes JMP 00000001743b122b
.text   C:\Program Files\Microsoft Security Client\msseces.exe[4660] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW                                  0000000076b9efe0 5 bytes JMP 000000016fff0148
.text   C:\Program Files\Microsoft Security Client\msseces.exe[4660] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx                                0000000076bc99b0 7 bytes JMP 000000016fff00d8
.text   C:\Program Files\Microsoft Security Client\msseces.exe[4660] C:\Windows\system32\kernel32.dll!K32GetModuleInformation                                0000000076bd94d0 5 bytes JMP 000000016fff0180
.text   C:\Program Files\Microsoft Security Client\msseces.exe[4660] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW                                0000000076bd9640 5 bytes JMP 000000016fff0110
.text   C:\Program Files\Microsoft Security Client\msseces.exe[4660] C:\Windows\system32\kernel32.dll!RegSetValueExA                                         0000000076bfa500 7 bytes JMP 000000016fff01b8
.text   C:\Program Files\Microsoft Security Client\msseces.exe[4660] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW                                     000007fefd293460 7 bytes JMP 000007fffd2700d8
.text   C:\Program Files\Microsoft Security Client\msseces.exe[4660] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                       000007fefd299940 6 bytes JMP 000007fffd270148
.text   C:\Program Files\Microsoft Security Client\msseces.exe[4660] C:\Windows\system32\KERNELBASE.dll!FreeLibrary                                          000007fefd299fb0 5 bytes JMP 000007fffd270180
.text   C:\Program Files\Microsoft Security Client\msseces.exe[4660] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW                                   000007fefd29a150 5 bytes JMP 000007fffd270110
.text   C:\Program Files\Microsoft Security Client\msseces.exe[4660] C:\Windows\system32\ole32.dll!CoCreateInstance                                          000007fefd807490 11 bytes JMP 000007fffd270228
.text   C:\Program Files\Microsoft Security Client\msseces.exe[4660] C:\Windows\system32\ole32.dll!CoSetProxyBlanket                                         000007fefd81bf00 7 bytes JMP 000007fffd270260
.text   C:\Program Files\Microsoft Security Client\msseces.exe[4660] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo                                    000007fefd6989e0 8 bytes JMP 000007fffd2701f0
.text   C:\Program Files\Microsoft Security Client\msseces.exe[4660] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList                                  000007fefd69be40 8 bytes JMP 000007fffd2701b8
.text   C:\Program Files\Windows Server\Bin\LightsOutClientGui.exe[5824] C:\Windows\system32\KERNEL32.dll!K32GetMappedFileNameW                              0000000076b9efe0 5 bytes JMP 000000016fff0148
.text   C:\Program Files\Windows Server\Bin\LightsOutClientGui.exe[5824] C:\Windows\system32\KERNEL32.dll!K32EnumProcessModulesEx                            0000000076bc99b0 7 bytes JMP 000000016fff00d8
.text   C:\Program Files\Windows Server\Bin\LightsOutClientGui.exe[5824] C:\Windows\system32\KERNEL32.dll!K32GetModuleInformation                            0000000076bd94d0 5 bytes JMP 000000016fff0180
.text   C:\Program Files\Windows Server\Bin\LightsOutClientGui.exe[5824] C:\Windows\system32\KERNEL32.dll!K32GetModuleFileNameExW                            0000000076bd9640 5 bytes JMP 000000016fff0110
.text   C:\Program Files\Windows Server\Bin\LightsOutClientGui.exe[5824] C:\Windows\system32\KERNEL32.dll!RegSetValueExA                                     0000000076bfa500 7 bytes JMP 000000016fff01b8
.text   C:\Program Files\Windows Server\Bin\LightsOutClientGui.exe[5824] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW                                 000007fefd293460 7 bytes JMP 000007fffd2800d8
.text   C:\Program Files\Windows Server\Bin\LightsOutClientGui.exe[5824] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                   000007fefd299940 6 bytes JMP 000007fffd280148
.text   C:\Program Files\Windows Server\Bin\LightsOutClientGui.exe[5824] C:\Windows\system32\KERNELBASE.dll!FreeLibrary                                      000007fefd299fb0 5 bytes JMP 000007fffd280180
.text   C:\Program Files\Windows Server\Bin\LightsOutClientGui.exe[5824] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW                               000007fefd29a150 5 bytes JMP 000007fffd280110
.text   C:\Program Files\Windows Server\Bin\LightsOutClientGui.exe[5824] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo                                000007fefd6989e0 8 bytes JMP 000007fffd2801f0
.text   C:\Program Files\Windows Server\Bin\LightsOutClientGui.exe[5824] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList                              000007fefd69be40 8 bytes JMP 000007fffd2801b8
.text   C:\Program Files\Windows Server\Bin\LightsOutClientGui.exe[5824] C:\Windows\system32\ole32.dll!CoCreateInstance                                      000007fefd807490 11 bytes JMP 000007fffd280228
.text   C:\Program Files\Windows Server\Bin\LightsOutClientGui.exe[5824] C:\Windows\system32\ole32.dll!CoSetProxyBlanket                                     000007fefd81bf00 7 bytes JMP 000007fffd280260
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5812] C:\Windows\syswow64\kernel32.dll!RegSetValueExA                                 0000000074801429 7 bytes JMP 00000001743b128f
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5812] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW                        000000007481b223 5 bytes JMP 00000001743b159b
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5812] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx                        00000000748988f4 7 bytes JMP 00000001743b1339
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5812] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation                        0000000074898979 5 bytes JMP 00000001743b16b8
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5812] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW                          0000000074898ccf 5 bytes JMP 00000001743b101e
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5812] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                             0000000074de1d1b 5 bytes JMP 00000001743b11d1
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5812] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW                           0000000074de1dc9 5 bytes JMP 00000001743b1019
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5812] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                               0000000074de2aa4 5 bytes JMP 00000001743b154b
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5812] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                  0000000074de2d0a 5 bytes JMP 00000001743b1276
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5812] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList                          00000000760ee9a2 5 bytes JMP 00000001743b15b4
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5812] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo                            00000000760eebdc 5 bytes JMP 00000001743b119a
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5812] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket                                 00000000749e5ea5 5 bytes JMP 00000001743b15e6
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5812] C:\Windows\syswow64\ole32.dll!CoCreateInstance                                  0000000074a19d0b 5 bytes JMP 00000001743b122b
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5812] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                         0000000076f31465 2 bytes [F3, 76]
.text   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[5812] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                        0000000076f314bb 2 bytes [F3, 76]
.text   ...                                                                                                                                                  * 2
.text   C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[5960] C:\Windows\syswow64\kernel32.dll!RegSetValueExA                         0000000074801429 7 bytes JMP 00000001743b128f
.text   C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[5960] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW                000000007481b223 5 bytes JMP 00000001743b159b
.text   C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[5960] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx                00000000748988f4 7 bytes JMP 00000001743b1339
.text   C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[5960] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation                0000000074898979 5 bytes JMP 00000001743b16b8
.text   C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[5960] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW                  0000000074898ccf 5 bytes JMP 00000001743b101e
.text   C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[5960] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                     0000000074de1d1b 5 bytes JMP 00000001743b11d1
.text   C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[5960] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW                   0000000074de1dc9 5 bytes JMP 00000001743b1019
.text   C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[5960] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                       0000000074de2aa4 5 bytes JMP 00000001743b154b
.text   C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[5960] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                          0000000074de2d0a 5 bytes JMP 00000001743b1276
.text   C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[5960] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList                  00000000760ee9a2 5 bytes JMP 00000001743b15b4
.text   C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[5960] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo                    00000000760eebdc 5 bytes JMP 00000001743b119a
.text   C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[5960] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket                         00000000749e5ea5 5 bytes JMP 00000001743b15e6
.text   C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[5960] C:\Windows\syswow64\ole32.dll!CoCreateInstance                          0000000074a19d0b 5 bytes JMP 00000001743b122b
.text   C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe[5236] C:\Windows\syswow64\kernel32.dll!RegSetValueExA                                0000000074801429 7 bytes JMP 00000001743b128f
.text   C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe[5236] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW                       000000007481b223 5 bytes JMP 00000001743b159b
.text   C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe[5236] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx                       00000000748988f4 7 bytes JMP 00000001743b1339
.text   C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe[5236] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation                       0000000074898979 5 bytes JMP 00000001743b16b8
.text   C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe[5236] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW                         0000000074898ccf 5 bytes JMP 00000001743b101e
.text   C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe[5236] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                            0000000074de1d1b 5 bytes JMP 00000001743b11d1
.text   C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe[5236] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW                          0000000074de1dc9 5 bytes JMP 00000001743b1019
.text   C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe[5236] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                              0000000074de2aa4 5 bytes JMP 00000001743b154b
.text   C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe[5236] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                 0000000074de2d0a 5 bytes JMP 00000001743b1276
.text   C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe[5236] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList                         00000000760ee9a2 5 bytes JMP 00000001743b15b4
.text   C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe[5236] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo                           00000000760eebdc 5 bytes JMP 00000001743b119a
.text   C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe[5236] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket                                00000000749e5ea5 5 bytes JMP 00000001743b15e6
.text   C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe[5236] C:\Windows\syswow64\ole32.dll!CoCreateInstance                                 0000000074a19d0b 5 bytes JMP 00000001743b122b
.text   C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe[5568] C:\Windows\syswow64\kernel32.dll!RegSetValueExA                              0000000074801429 7 bytes JMP 00000001743b128f
.text   C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe[5568] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW                     000000007481b223 5 bytes JMP 00000001743b159b
.text   C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe[5568] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx                     00000000748988f4 7 bytes JMP 00000001743b1339
.text   C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe[5568] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation                     0000000074898979 5 bytes JMP 00000001743b16b8
.text   C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe[5568] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW                       0000000074898ccf 5 bytes JMP 00000001743b101e
.text   C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe[5568] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                          0000000074de1d1b 5 bytes JMP 00000001743b11d1
.text   C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe[5568] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW                        0000000074de1dc9 5 bytes JMP 00000001743b1019
.text   C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe[5568] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                            0000000074de2aa4 5 bytes JMP 00000001743b154b
.text   C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe[5568] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                               0000000074de2d0a 5 bytes JMP 00000001743b1276
.text   C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe[5568] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList                       00000000760ee9a2 5 bytes JMP 00000001743b15b4
.text   C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe[5568] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo                         00000000760eebdc 5 bytes JMP 00000001743b119a
.text   C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe[5568] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket                              00000000749e5ea5 5 bytes JMP 00000001743b15e6
.text   C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe[5568] C:\Windows\syswow64\ole32.dll!CoCreateInstance                               0000000074a19d0b 5 bytes JMP 00000001743b122b
.text   C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe[5748] C:\Windows\syswow64\kernel32.dll!RegSetValueExA                                            0000000074801429 7 bytes JMP 00000001743b128f
.text   C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe[5748] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW                                   000000007481b223 5 bytes JMP 00000001743b159b
.text   C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe[5748] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx                                   00000000748988f4 7 bytes JMP 00000001743b1339
.text   C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe[5748] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation                                   0000000074898979 5 bytes JMP 00000001743b16b8
.text   C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe[5748] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW                                     0000000074898ccf 5 bytes JMP 00000001743b101e
.text   C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe[5748] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                                        0000000074de1d1b 5 bytes JMP 00000001743b11d1
.text   C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe[5748] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW                                      0000000074de1dc9 5 bytes JMP 00000001743b1019
.text   C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe[5748] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                          0000000074de2aa4 5 bytes JMP 00000001743b154b
.text   C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe[5748] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                             0000000074de2d0a 5 bytes JMP 00000001743b1276
.text   C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe[5748] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList                                     00000000760ee9a2 5 bytes JMP 00000001743b15b4
.text   C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe[5748] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo                                       00000000760eebdc 5 bytes JMP 00000001743b119a
.text   C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe[5748] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket                                            00000000749e5ea5 5 bytes JMP 00000001743b15e6
.text   C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe[5748] C:\Windows\syswow64\ole32.dll!CoCreateInstance                                             0000000074a19d0b 5 bytes JMP 00000001743b122b
.text   C:\Program Files (x86)\iTunes\iTunesHelper.exe[5464] C:\Windows\syswow64\kernel32.dll!RegSetValueExA                                                 0000000074801429 7 bytes JMP 00000001743b128f
.text   C:\Program Files (x86)\iTunes\iTunesHelper.exe[5464] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW                                        000000007481b223 5 bytes JMP 00000001743b159b
.text   C:\Program Files (x86)\iTunes\iTunesHelper.exe[5464] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx                                        00000000748988f4 7 bytes JMP 00000001743b1339
.text   C:\Program Files (x86)\iTunes\iTunesHelper.exe[5464] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation                                        0000000074898979 5 bytes JMP 00000001743b16b8
.text   C:\Program Files (x86)\iTunes\iTunesHelper.exe[5464] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW                                          0000000074898ccf 5 bytes JMP 00000001743b101e
.text   C:\Program Files (x86)\iTunes\iTunesHelper.exe[5464] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                                             0000000074de1d1b 5 bytes JMP 00000001743b11d1
.text   C:\Program Files (x86)\iTunes\iTunesHelper.exe[5464] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW                                           0000000074de1dc9 5 bytes JMP 00000001743b1019
.text   C:\Program Files (x86)\iTunes\iTunesHelper.exe[5464] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                               0000000074de2aa4 5 bytes JMP 00000001743b154b
.text   C:\Program Files (x86)\iTunes\iTunesHelper.exe[5464] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                                  0000000074de2d0a 5 bytes JMP 00000001743b1276
.text   C:\Program Files (x86)\iTunes\iTunesHelper.exe[5464] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList                                          00000000760ee9a2 5 bytes JMP 00000001743b15b4
.text   C:\Program Files (x86)\iTunes\iTunesHelper.exe[5464] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo                                            00000000760eebdc 5 bytes JMP 00000001743b119a
.text   C:\Program Files (x86)\iTunes\iTunesHelper.exe[5464] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket                                                 00000000749e5ea5 5 bytes JMP 00000001743b15e6
.text   C:\Program Files (x86)\iTunes\iTunesHelper.exe[5464] C:\Windows\syswow64\ole32.dll!CoCreateInstance                                                  0000000074a19d0b 5 bytes JMP 00000001743b122b
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5796] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW                                  0000000076b9efe0 5 bytes JMP 000000016fff0148
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5796] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx                                0000000076bc99b0 7 bytes JMP 000000016fff00d8
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5796] C:\Windows\system32\kernel32.dll!K32GetModuleInformation                                0000000076bd94d0 5 bytes JMP 000000016fff0180
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5796] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW                                0000000076bd9640 5 bytes JMP 000000016fff0110
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5796] C:\Windows\system32\kernel32.dll!RegSetValueExA                                         0000000076bfa500 7 bytes JMP 000000016fff01b8
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5796] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW                                     000007fefd293460 7 bytes JMP 000007fffd2800d8
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5796] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                       000007fefd299940 6 bytes JMP 000007fffd280148
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5796] C:\Windows\system32\KERNELBASE.dll!FreeLibrary                                          000007fefd299fb0 5 bytes JMP 000007fffd280180
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5796] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW                                   000007fefd29a150 5 bytes JMP 000007fffd280110
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5796] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo                                    000007fefd6989e0 8 bytes JMP 000007fffd2801f0
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5796] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList                                  000007fefd69be40 8 bytes JMP 000007fffd2801b8
.text   C:\Windows\system32\wbem\unsecapp.exe[5548] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW                                                      000007fefd293460 7 bytes JMP 000007fffd2800d8
.text   C:\Windows\system32\wbem\unsecapp.exe[5548] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                        000007fefd299940 6 bytes JMP 000007fffd280148
.text   C:\Windows\system32\wbem\unsecapp.exe[5548] C:\Windows\system32\KERNELBASE.dll!FreeLibrary                                                           000007fefd299fb0 5 bytes JMP 000007fffd280180
.text   C:\Windows\system32\wbem\unsecapp.exe[5548] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW                                                    000007fefd29a150 5 bytes JMP 000007fffd280110
.text   C:\Windows\system32\wbem\unsecapp.exe[5548] C:\Windows\system32\ole32.dll!CoCreateInstance                                                           000007fefd807490 11 bytes JMP 000007fffd280228
.text   C:\Windows\system32\wbem\unsecapp.exe[5548] C:\Windows\system32\ole32.dll!CoSetProxyBlanket                                                          000007fefd81bf00 7 bytes JMP 000007fffd280260
.text   C:\Windows\system32\wbem\unsecapp.exe[5548] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo                                                     000007fefd6989e0 8 bytes JMP 000007fffd2801f0
.text   C:\Windows\system32\wbem\unsecapp.exe[5548] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList                                                   000007fefd69be40 8 bytes JMP 000007fffd2801b8
.text   C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5868] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW                                           000007fefd293460 7 bytes JMP 000007fffd2800d8
.text   C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5868] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                             000007fefd299940 6 bytes JMP 000007fffd280148
.text   C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5868] C:\Windows\system32\KERNELBASE.dll!FreeLibrary                                                000007fefd299fb0 5 bytes JMP 000007fffd280180
.text   C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5868] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW                                         000007fefd29a150 5 bytes JMP 000007fffd280110
.text   C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5868] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo                                          000007fefd6989e0 8 bytes JMP 000007fffd2801f0
.text   C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5868] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList                                        000007fefd69be40 8 bytes JMP 000007fffd2801b8
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[6748] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExA                                  0000000074801429 7 bytes JMP 00000001743b128f
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[6748] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleFileNameExW                         000000007481b223 5 bytes JMP 00000001743b159b
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[6748] C:\Windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx                         00000000748988f4 7 bytes JMP 00000001743b1339
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[6748] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleInformation                         0000000074898979 5 bytes JMP 00000001743b16b8
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[6748] C:\Windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW                           0000000074898ccf 5 bytes JMP 00000001743b101e
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[6748] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                              0000000074de1d1b 5 bytes JMP 00000001743b11d1
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[6748] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW                            0000000074de1dc9 5 bytes JMP 00000001743b1019
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[6748] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                0000000074de2aa4 5 bytes JMP 00000001743b154b
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[6748] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                   0000000074de2d0a 5 bytes JMP 00000001743b1276
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[6748] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList                           00000000760ee9a2 5 bytes JMP 00000001743b15b4
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[6748] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo                             00000000760eebdc 5 bytes JMP 00000001743b119a
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[6748] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket                                  00000000749e5ea5 5 bytes JMP 00000001743b15e6
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[6748] C:\Windows\syswow64\ole32.dll!CoCreateInstance                                   0000000074a19d0b 5 bytes JMP 00000001743b122b
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[6748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                          0000000076f31465 2 bytes [F3, 76]
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[6748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                         0000000076f314bb 2 bytes [F3, 76]
.text   ...                                                                                                                                                  * 2
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[5560] C:\Windows\syswow64\kernel32.dll!RegSetValueExA           0000000074801429 7 bytes JMP 00000001743b128f
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[5560] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW  000000007481b223 5 bytes JMP 00000001743b159b
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[5560] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx  00000000748988f4 7 bytes JMP 00000001743b1339
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[5560] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation  0000000074898979 5 bytes JMP 00000001743b16b8
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[5560] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW    0000000074898ccf 5 bytes JMP 00000001743b101e
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[5560] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW       0000000074de1d1b 5 bytes JMP 00000001743b11d1
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[5560] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW     0000000074de1dc9 5 bytes JMP 00000001743b1019
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[5560] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW         0000000074de2aa4 5 bytes JMP 00000001743b154b
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[5560] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary            0000000074de2d0a 5 bytes JMP 00000001743b1276
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[5560] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList    00000000760ee9a2 5 bytes JMP 00000001743b15b4
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[5560] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo      00000000760eebdc 5 bytes JMP 00000001743b119a
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[5560] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket           00000000749e5ea5 5 bytes JMP 00000001743b15e6
.text   C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[5560] C:\Windows\syswow64\ole32.dll!CoCreateInstance            0000000074a19d0b 5 bytes JMP 00000001743b122b
.text   C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5132] C:\Windows\syswow64\kernel32.dll!RegSetValueExA                                        0000000074801429 7 bytes JMP 00000001743b128f
.text   C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5132] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW                               000000007481b223 5 bytes JMP 00000001743b159b
.text   C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5132] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx                               00000000748988f4 7 bytes JMP 00000001743b1339
.text   C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5132] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation                               0000000074898979 5 bytes JMP 00000001743b16b8
.text   C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5132] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW                                 0000000074898ccf 5 bytes JMP 00000001743b101e
.text   C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5132] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                                    0000000074de1d1b 5 bytes JMP 00000001743b11d1
.text   C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5132] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW                                  0000000074de1dc9 5 bytes JMP 00000001743b1019
.text   C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5132] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                      0000000074de2aa4 5 bytes JMP 00000001743b154b
.text   C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5132] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                         0000000074de2d0a 5 bytes JMP 00000001743b1276
.text   C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5132] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList                                 00000000760ee9a2 5 bytes JMP 00000001743b15b4
.text   C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5132] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo                                   00000000760eebdc 5 bytes JMP 00000001743b119a
.text   C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5132] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket                                        00000000749e5ea5 5 bytes JMP 00000001743b15e6
.text   C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[5132] C:\Windows\syswow64\ole32.dll!CoCreateInstance                                         0000000074a19d0b 5 bytes JMP 00000001743b122b
.text   C:\Users\Nisi\Desktop\gmer_2.1.19163.exe[4584] C:\Windows\syswow64\kernel32.dll!RegSetValueExA                                                       0000000074801429 7 bytes JMP 00000001743b128f
.text   C:\Users\Nisi\Desktop\gmer_2.1.19163.exe[4584] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW                                              000000007481b223 5 bytes JMP 00000001743b159b
.text   C:\Users\Nisi\Desktop\gmer_2.1.19163.exe[4584] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx                                              00000000748988f4 7 bytes JMP 00000001743b1339
.text   C:\Users\Nisi\Desktop\gmer_2.1.19163.exe[4584] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation                                              0000000074898979 5 bytes JMP 00000001743b16b8
.text   C:\Users\Nisi\Desktop\gmer_2.1.19163.exe[4584] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW                                                0000000074898ccf 5 bytes JMP 00000001743b101e
.text   C:\Users\Nisi\Desktop\gmer_2.1.19163.exe[4584] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                                                   0000000074de1d1b 5 bytes JMP 00000001743b11d1
.text   C:\Users\Nisi\Desktop\gmer_2.1.19163.exe[4584] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW                                                 0000000074de1dc9 5 bytes JMP 00000001743b1019
.text   C:\Users\Nisi\Desktop\gmer_2.1.19163.exe[4584] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                                     0000000074de2aa4 5 bytes JMP 00000001743b154b
.text   C:\Users\Nisi\Desktop\gmer_2.1.19163.exe[4584] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                                        0000000074de2d0a 5 bytes JMP 00000001743b1276
.text   C:\Users\Nisi\Desktop\gmer_2.1.19163.exe[4584] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList                                                00000000760ee9a2 5 bytes JMP 00000001743b15b4
.text   C:\Users\Nisi\Desktop\gmer_2.1.19163.exe[4584] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo                                                  00000000760eebdc 5 bytes JMP 00000001743b119a
.text   C:\Users\Nisi\Desktop\gmer_2.1.19163.exe[4584] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket                                                       00000000749e5ea5 5 bytes JMP 00000001743b15e6
.text   C:\Users\Nisi\Desktop\gmer_2.1.19163.exe[4584] C:\Windows\syswow64\ole32.dll!CoCreateInstance                                                        0000000074a19d0b 5 bytes JMP 00000001743b122b

---- Threads - GMER 2.1 ----

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [344:3228]                                                                                        000007fefb782a7c

---- Registry - GMER 2.1 ----

Reg     HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4c809313b7cf                                                                          
Reg     HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\4c809313b7cf (not active ControlSet)                                                      

---- EOF - GMER 2.1 ----
         
Die loggs von Malwarebytes sind vieleicht auch interessant.
Quickscan
Code:
ATTFilter
 Malwarebytes Anti-Malware  (Test) 1.75.0.1300
www.malwarebytes.org

Datenbank Version: v2013.04.11.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Nisi :: NISI-PC [Administrator]

Schutz: Aktiviert

11.04.2013 07:26:50
mbam-log-2013-04-11 (07-26-50).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 234447
Laufzeit: 3 Minute(n), 4 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0
(Keine bösartigen Objekte gefunden)

(Ende)
         
Vollständig
Code:
ATTFilter
 Malwarebytes Anti-Malware  (Test) 1.75.0.1300
www.malwarebytes.org

Datenbank Version: v2013.04.11.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Nisi :: NISI-PC [Administrator]

Schutz: Aktiviert

11.04.2013 07:32:07
mbam-log-2013-04-11 (07-32-07).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 463729
Laufzeit: 1 Stunde(n), 7 Minute(n), 32 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0
(Keine bösartigen Objekte gefunden)

(Ende)
         
Dann ist da noch das hier drin??
Protection log 2013-04-11
Code:
ATTFilter
2013/04/11 07:22:36 +0200	NISI-PC	Nisi	MESSAGE	Starting protection
2013/04/11 07:22:36 +0200	NISI-PC	Nisi	MESSAGE	Protection started successfully
2013/04/11 07:22:36 +0200	NISI-PC	Nisi	MESSAGE	Starting IP protection
2013/04/11 07:22:49 +0200	NISI-PC	Nisi	MESSAGE	IP Protection started successfully
2013/04/11 07:22:56 +0200	NISI-PC	Nisi	MESSAGE	Starting database refresh
2013/04/11 07:22:56 +0200	NISI-PC	Nisi	MESSAGE	Stopping IP protection
2013/04/11 07:22:58 +0200	NISI-PC	Nisi	MESSAGE	IP Protection stopped successfully
2013/04/11 07:22:59 +0200	NISI-PC	Nisi	MESSAGE	Database refreshed successfully
2013/04/11 07:22:59 +0200	NISI-PC	Nisi	MESSAGE	Starting IP protection
2013/04/11 07:23:10 +0200	NISI-PC	Nisi	MESSAGE	IP Protection started successfully
2013/04/11 09:37:53 +0200	NISI-PC	Nisi	MESSAGE	Starting protection
2013/04/11 09:37:53 +0200	NISI-PC	Nisi	MESSAGE	Protection started successfully
2013/04/11 09:37:53 +0200	NISI-PC	Nisi	MESSAGE	Starting IP protection
2013/04/11 09:38:10 +0200	NISI-PC	Nisi	MESSAGE	IP Protection started successfully
         
Protection log 2013-04-12
Code:
ATTFilter
2013/04/12 00:01:18 +0200	NISI-PC	(null)	MESSAGE	Executing scheduled update:  Daily
2013/04/12 00:01:18 +0200	NISI-PC	(null)	ERROR	Scheduled update failed:  No address found failed with error code 0
2013/04/12 00:01:22 +0200	NISI-PC	Nisi	MESSAGE	Starting protection
2013/04/12 00:01:22 +0200	NISI-PC	Nisi	MESSAGE	Protection started successfully
2013/04/12 00:01:22 +0200	NISI-PC	Nisi	MESSAGE	Starting IP protection
2013/04/12 00:01:40 +0200	NISI-PC	Nisi	MESSAGE	IP Protection started successfully
2013/04/12 00:43:27 +0200	NISI-PC	(null)	MESSAGE	Starting protection
2013/04/12 00:43:27 +0200	NISI-PC	(null)	MESSAGE	Protection started successfully
2013/04/12 00:43:27 +0200	NISI-PC	(null)	MESSAGE	Starting IP protection
2013/04/12 00:43:44 +0200	NISI-PC	(null)	MESSAGE	IP Protection started successfully
2013/04/12 19:17:47 +0200	NISI-PC	(null)	MESSAGE	Starting protection
2013/04/12 19:17:47 +0200	NISI-PC	(null)	MESSAGE	Protection started successfully
2013/04/12 19:17:47 +0200	NISI-PC	(null)	MESSAGE	Starting IP protection
2013/04/12 19:18:05 +0200	NISI-PC	(null)	MESSAGE	IP Protection started successfully
         

Geändert von Malibouman (12.04.2013 um 18:48 Uhr)

Alt 12.04.2013, 18:46   #5
aharonov
/// TB-Ausbilder
 
Telekom Brief Zeus/Zbot - Standard

Telekom Brief Zeus/Zbot



Hallo,

Zitat:
bei Ihr wurden auch Trojaner gefunden, einer stand schon seit 1 Woche von MSE unter Quarantäne
Kannst du mir bitte noch einen Report von MSE nachreichen, was er da genau gefunden und gelöscht hat?

__________________
cheers,
Leo

Alt 12.04.2013, 19:09   #6
Malibouman
 
Telekom Brief Zeus/Zbot - Standard

Telekom Brief Zeus/Zbot



Beim entfernen hat er wohl die Berichte gelöscht kann das sein? oder ich weiß nicht wo MSE diese speichert.

Hab was:

1
Code:
ATTFilter
Protokollname: System
Quelle:        Microsoft Antimalware
Datum:         02.04.2013 14:08:20
Ereignis-ID:   1116
Aufgabenkategorie:Keine
Ebene:         Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      Nisi-PC
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:Win32/Istbar.M&threatid=2147610047
 	Name: TrojanDownloader:Win32/Istbar.M
 	ID: 2147610047
 	Schweregrad: Schwerwiegend
 	Kategorie: Downloadtrojaner
 	Pfad: file:_D:\fotos en cliparts.zip->(Zip)->(UPX)
 	Ursprung der Erkennung: Lokaler Computer
 	Typ der Erkennung: Konkret
 	Quelle der Erkennung: Echtzeitschutz
 	Benutzer: Nisi-PC\Nisi
 	Prozessname: C:\Windows\explorer.exe
 	Signaturversion: AV: 1.147.889.0, AS: 1.147.889.0, NIS: 18.160.0.0
 	Modulversion: AM: 1.1.9302.0, NIS: 2.1.8904.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-04-02T12:08:20.000000000Z" />
    <EventRecordID>115622</EventRecordID>
    <Channel>System</Channel>
    <Computer>Nisi-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.2.0223.0</Data>
    <Data>{3C907A67-0F5D-4F22-B27C-384530AD1FC4}</Data>
    <Data>2013-04-02T12:08:10.609Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147610047</Data>
    <Data>TrojanDownloader:Win32/Istbar.M</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>4</Data>
    <Data>Downloadtrojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=TrojanDownloader:Win32/Istbar.M&amp;threatid=2147610047</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\explorer.exe</Data>
    <Data>Nisi-PC\Nisi</Data>
    <Data>
    </Data>
    <Data>file:_D:\fotos en cliparts.zip-&gt;(Zip)-&gt;(UPX)</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>0</Data>
    <Data>%%822</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.147.889.0, AS: 1.147.889.0, NIS: 18.160.0.0</Data>
    <Data>AM: 1.1.9302.0, NIS: 2.1.8904.0</Data>
  </EventData>
</Event>
         
2
Code:
ATTFilter
Protokollname: System
Quelle:        Microsoft Antimalware
Datum:         02.04.2013 14:08:23
Ereignis-ID:   1116
Aufgabenkategorie:Keine
Ebene:         Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      Nisi-PC
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:Win32/Istbar.M&threatid=2147610047
 	Name: TrojanDownloader:Win32/Istbar.M
 	ID: 2147610047
 	Schweregrad: Schwerwiegend
 	Kategorie: Downloadtrojaner
 	Pfad: containerfile:_D:\fotos en cliparts.zip;file:_D:\fotos en cliparts.zip->(Zip)->(UPX);file:_D:\fotos en cliparts.zip->YSB_toolBar.exe->(UPX)
 	Ursprung der Erkennung: Lokaler Computer
 	Typ der Erkennung: Konkret
 	Quelle der Erkennung: Echtzeitschutz
 	Benutzer: Nisi-PC\Nisi
 	Prozessname: C:\Windows\explorer.exe
 	Signaturversion: AV: 1.147.889.0, AS: 1.147.889.0, NIS: 18.160.0.0
 	Modulversion: AM: 1.1.9302.0, NIS: 2.1.8904.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-04-02T12:08:23.000000000Z" />
    <EventRecordID>115623</EventRecordID>
    <Channel>System</Channel>
    <Computer>Nisi-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.2.0223.0</Data>
    <Data>{3C907A67-0F5D-4F22-B27C-384530AD1FC4}</Data>
    <Data>2013-04-02T12:08:10.609Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147610047</Data>
    <Data>TrojanDownloader:Win32/Istbar.M</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>4</Data>
    <Data>Downloadtrojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=TrojanDownloader:Win32/Istbar.M&amp;threatid=2147610047</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\explorer.exe</Data>
    <Data>Nisi-PC\Nisi</Data>
    <Data>
    </Data>
    <Data>containerfile:_D:\fotos en cliparts.zip;file:_D:\fotos en cliparts.zip-&gt;(Zip)-&gt;(UPX);file:_D:\fotos en cliparts.zip-&gt;YSB_toolBar.exe-&gt;(UPX)</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>0</Data>
    <Data>%%822</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.147.889.0, AS: 1.147.889.0, NIS: 18.160.0.0</Data>
    <Data>AM: 1.1.9302.0, NIS: 2.1.8904.0</Data>
  </EventData>
</Event>
         
3
Code:
ATTFilter
Protokollname: System
Quelle:        Microsoft Antimalware
Datum:         02.04.2013 14:08:39
Ereignis-ID:   1118
Aufgabenkategorie:Keine
Ebene:         Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      Nisi-PC
Beschreibung:
Beim Anwenden von Aktionen auf Schadsoftware und potenziell unerwünschte Software wurde von Microsoft-Antischadsoftware ein nicht schwerwiegender Fehler festgestellt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:Win32/Istbar.M&threatid=2147610047
 	Name: TrojanDownloader:Win32/Istbar.M
 	ID: 2147610047
 	Schweregrad: Schwerwiegend
 	Kategorie: Downloadtrojaner
 	Pfad: containerfile:_D:\fotos en cliparts.zip;file:_D:\fotos en cliparts.zip->(Zip)->(UPX);file:_D:\fotos en cliparts.zip->YSB_toolBar.exe->(UPX)
 	Ursprung der Erkennung: Lokaler Computer
 	Typ der Erkennung: Konkret
 	Quelle der Erkennung: Echtzeitschutz
 	Benutzer: NT-AUTORITÄT\SYSTEM
 	Prozessname: C:\Windows\explorer.exe
 	Aktion: Quarantäne
 	Aktionsstatus:  No additional actions required
 	Fehlercode: 0x80070005
 	Fehlerbeschreibung: Zugriff verweigert 
 	Signaturversion: AV: 1.147.889.0, AS: 1.147.889.0, NIS: 18.160.0.0
 	Modulversion: AM: 1.1.9302.0, NIS: 2.1.8904.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1118</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-04-02T12:08:39.000000000Z" />
    <EventRecordID>115624</EventRecordID>
    <Channel>System</Channel>
    <Computer>Nisi-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.2.0223.0</Data>
    <Data>{3C907A67-0F5D-4F22-B27C-384530AD1FC4}</Data>
    <Data>2013-04-02T12:08:10.609Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147610047</Data>
    <Data>TrojanDownloader:Win32/Istbar.M</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>4</Data>
    <Data>Downloadtrojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=TrojanDownloader:Win32/Istbar.M&amp;threatid=2147610047</Data>
    <Data>103</Data>
    <Data>
    </Data>
    <Data>4</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\explorer.exe</Data>
    <Data>Nisi-PC\Nisi</Data>
    <Data>
    </Data>
    <Data>containerfile:_D:\fotos en cliparts.zip;file:_D:\fotos en cliparts.zip-&gt;(Zip)-&gt;(UPX);file:_D:\fotos en cliparts.zip-&gt;YSB_toolBar.exe-&gt;(UPX)</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>0</Data>
    <Data>%%822</Data>
    <Data>0</Data>
    <Data>2</Data>
    <Data>%%809</Data>
    <Data>
    </Data>
    <Data>0x80070005</Data>
    <Data>Zugriff verweigert </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>AV: 1.147.889.0, AS: 1.147.889.0, NIS: 18.160.0.0</Data>
    <Data>AM: 1.1.9302.0, NIS: 2.1.8904.0</Data>
  </EventData>
</Event>
         
4
Code:
ATTFilter
Protokollname: System
Quelle:        Microsoft Antimalware
Datum:         02.04.2013 14:08:55
Ereignis-ID:   1116
Aufgabenkategorie:Keine
Ebene:         Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      Nisi-PC
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:Win32/Istbar.M&threatid=2147610047
 	Name: TrojanDownloader:Win32/Istbar.M
 	ID: 2147610047
 	Schweregrad: Schwerwiegend
 	Kategorie: Downloadtrojaner
 	Pfad: containerfile:_D:\fotos en cliparts.zip;file:_D:\fotos en cliparts.zip->(Zip)->(UPX);file:_D:\fotos en cliparts.zip->YSB_toolBar.exe->(UPX)
 	Ursprung der Erkennung: Lokaler Computer
 	Typ der Erkennung: Konkret
 	Quelle der Erkennung: Echtzeitschutz
 	Benutzer: Nisi-PC\Nisi
 	Prozessname: C:\Windows\explorer.exe
 	Signaturversion: AV: 1.147.889.0, AS: 1.147.889.0, NIS: 18.160.0.0
 	Modulversion: AM: 1.1.9302.0, NIS: 2.1.8904.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-04-02T12:08:55.000000000Z" />
    <EventRecordID>115626</EventRecordID>
    <Channel>System</Channel>
    <Computer>Nisi-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.2.0223.0</Data>
    <Data>{B5D88EC4-2BD6-4A73-841D-741DB90BEB87}</Data>
    <Data>2013-04-02T12:08:46.971Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147610047</Data>
    <Data>TrojanDownloader:Win32/Istbar.M</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>4</Data>
    <Data>Downloadtrojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=TrojanDownloader:Win32/Istbar.M&amp;threatid=2147610047</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\explorer.exe</Data>
    <Data>Nisi-PC\Nisi</Data>
    <Data>
    </Data>
    <Data>containerfile:_D:\fotos en cliparts.zip;file:_D:\fotos en cliparts.zip-&gt;(Zip)-&gt;(UPX);file:_D:\fotos en cliparts.zip-&gt;YSB_toolBar.exe-&gt;(UPX)</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>0</Data>
    <Data>%%822</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.147.889.0, AS: 1.147.889.0, NIS: 18.160.0.0</Data>
    <Data>AM: 1.1.9302.0, NIS: 2.1.8904.0</Data>
  </EventData>
</Event>
         
5
Code:
ATTFilter
Protokollname: System
Quelle:        Microsoft Antimalware
Datum:         02.04.2013 14:09:16
Ereignis-ID:   1119
Aufgabenkategorie:Keine
Ebene:         Fehler
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      Nisi-PC
Beschreibung:
Beim Anwenden von Aktionen auf Schadsoftware und potenziell unerwünschte Software wurde von Microsoft-Antischadsoftware ein schwerwiegender Fehler festgestellt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:Win32/Istbar.M&threatid=2147610047
 	Name: TrojanDownloader:Win32/Istbar.M
 	ID: 2147610047
 	Schweregrad: Schwerwiegend
 	Kategorie: Downloadtrojaner
 	Pfad: containerfile:_D:\fotos en cliparts.zip;file:_D:\fotos en cliparts.zip->(Zip)->(UPX);file:_D:\fotos en cliparts.zip->YSB_toolBar.exe->(UPX)
 	Ursprung der Erkennung: Lokaler Computer
 	Typ der Erkennung: Konkret
 	Quelle der Erkennung: Echtzeitschutz
 	Benutzer: NT-AUTORITÄT\SYSTEM
 	Prozessname: C:\Windows\explorer.exe
 	Aktion: Quarantäne
 	Aktionsstatus:  No additional actions required
 	Fehlercode: 0x80070002
 	Fehlerbeschreibung: Das System kann die angegebene Datei nicht finden. 
 	Signaturversion: AV: 1.147.889.0, AS: 1.147.889.0, NIS: 18.160.0.0
 	Modulversion: AM: 1.1.9302.0, NIS: 2.1.8904.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1119</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-04-02T12:09:16.000000000Z" />
    <EventRecordID>115628</EventRecordID>
    <Channel>System</Channel>
    <Computer>Nisi-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.2.0223.0</Data>
    <Data>{B5D88EC4-2BD6-4A73-841D-741DB90BEB87}</Data>
    <Data>2013-04-02T12:08:46.971Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147610047</Data>
    <Data>TrojanDownloader:Win32/Istbar.M</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>4</Data>
    <Data>Downloadtrojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=TrojanDownloader:Win32/Istbar.M&amp;threatid=2147610047</Data>
    <Data>103</Data>
    <Data>
    </Data>
    <Data>5</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\explorer.exe</Data>
    <Data>Nisi-PC\Nisi</Data>
    <Data>
    </Data>
    <Data>containerfile:_D:\fotos en cliparts.zip;file:_D:\fotos en cliparts.zip-&gt;(Zip)-&gt;(UPX);file:_D:\fotos en cliparts.zip-&gt;YSB_toolBar.exe-&gt;(UPX)</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>0</Data>
    <Data>%%822</Data>
    <Data>0</Data>
    <Data>2</Data>
    <Data>%%809</Data>
    <Data>
    </Data>
    <Data>0x80070002</Data>
    <Data>Das System kann die angegebene Datei nicht finden. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>AV: 1.147.889.0, AS: 1.147.889.0, NIS: 18.160.0.0</Data>
    <Data>AM: 1.1.9302.0, NIS: 2.1.8904.0</Data>
  </EventData>
</Event>
         
6
Code:
ATTFilter
Protokollname: System
Quelle:        Microsoft Antimalware
Datum:         03.04.2013 12:11:47
Ereignis-ID:   1116
Aufgabenkategorie:Keine
Ebene:         Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      Nisi-PC
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Fareit.gen!I&threatid=2147676925
 	Name: PWS:Win32/Fareit.gen!I
 	ID: 2147676925
 	Schweregrad: Schwerwiegend
 	Kategorie: Kennwortstehlprogramm
 	Pfad: process:_pid:5484
 	Ursprung der Erkennung: Unbekannt
 	Typ der Erkennung: Generisch
 	Quelle der Erkennung: System
 	Benutzer: NT-AUTORITÄT\SYSTEM
 	Prozessname: Unknown
 	Signaturversion: AV: 1.147.889.0, AS: 1.147.889.0, NIS: 18.160.0.0
 	Modulversion: AM: 1.1.9302.0, NIS: 2.1.8904.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-04-03T10:11:47.000000000Z" />
    <EventRecordID>115769</EventRecordID>
    <Channel>System</Channel>
    <Computer>Nisi-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.2.0223.0</Data>
    <Data>{7F40F4EA-56C1-4A66-93D2-BFB8A5EFFB86}</Data>
    <Data>2013-04-03T10:11:47.120Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147676925</Data>
    <Data>PWS:Win32/Fareit.gen!I</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>3</Data>
    <Data>Kennwortstehlprogramm</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=PWS:Win32/Fareit.gen!I&amp;threatid=2147676925</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>process:_pid:5484</Data>
    <Data>0</Data>
    <Data>%%844</Data>
    <Data>3</Data>
    <Data>%%848</Data>
    <Data>2</Data>
    <Data>%%823</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.147.889.0, AS: 1.147.889.0, NIS: 18.160.0.0</Data>
    <Data>AM: 1.1.9302.0, NIS: 2.1.8904.0</Data>
  </EventData>
</Event>
         
6
Code:
ATTFilter
Protokollname: System
Quelle:        Microsoft Antimalware
Datum:         03.04.2013 20:13:44
Ereignis-ID:   1116
Aufgabenkategorie:Keine
Ebene:         Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      Nisi-PC
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!AM&threatid=2147678816
 	Name: PWS:Win32/Zbot.gen!AM
 	ID: 2147678816
 	Schweregrad: Schwerwiegend
 	Kategorie: Kennwortstehlprogramm
 	Pfad: file:_C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe;process:_pid:5292
 	Ursprung der Erkennung: Lokaler Computer
 	Typ der Erkennung: Generisch
 	Quelle der Erkennung: System
 	Benutzer: NT-AUTORITÄT\SYSTEM
 	Prozessname: C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe
 	Signaturversion: AV: 1.147.967.0, AS: 1.147.967.0, NIS: 18.160.0.0
 	Modulversion: AM: 1.1.9302.0, NIS: 2.1.8904.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-04-03T18:13:44.000000000Z" />
    <EventRecordID>115839</EventRecordID>
    <Channel>System</Channel>
    <Computer>Nisi-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.2.0223.0</Data>
    <Data>{4C4C23D7-A640-446A-804E-B51FE840CD35}</Data>
    <Data>2013-04-03T18:13:43.506Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147678816</Data>
    <Data>PWS:Win32/Zbot.gen!AM</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>3</Data>
    <Data>Kennwortstehlprogramm</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=PWS:Win32/Zbot.gen!AM&amp;threatid=2147678816</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe;process:_pid:5292</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>3</Data>
    <Data>%%848</Data>
    <Data>2</Data>
    <Data>%%823</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.147.967.0, AS: 1.147.967.0, NIS: 18.160.0.0</Data>
    <Data>AM: 1.1.9302.0, NIS: 2.1.8904.0</Data>
  </EventData>
</Event>
         
7
Code:
ATTFilter
Protokollname: System
Quelle:        Microsoft Antimalware
Datum:         03.04.2013 20:14:00
Ereignis-ID:   1116
Aufgabenkategorie:Keine
Ebene:         Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      Nisi-PC
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!AM&threatid=2147678816
 	Name: PWS:Win32/Zbot.gen!AM
 	ID: 2147678816
 	Schweregrad: Schwerwiegend
 	Kategorie: Kennwortstehlprogramm
 	Pfad: file:_C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe;process:_pid:5292;regkey:_HKCU@S-1-5-21-4220994265-1922484629-2558833816-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\{1CBE1FBB-43BC-AD41-03C4-6F290EC84C34};runkey:_HKCU@S-1-5-21-4220994265-1922484629-2558833816-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\{1CBE1FBB-43BC-AD41-03C4-6F290EC84C34}
 	Ursprung der Erkennung: Lokaler Computer
 	Typ der Erkennung: Generisch
 	Quelle der Erkennung: System
 	Benutzer: NT-AUTORITÄT\SYSTEM
 	Prozessname: C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe
 	Signaturversion: AV: 1.147.967.0, AS: 1.147.967.0, NIS: 18.160.0.0
 	Modulversion: AM: 1.1.9302.0, NIS: 2.1.8904.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-04-03T18:14:00.000000000Z" />
    <EventRecordID>115840</EventRecordID>
    <Channel>System</Channel>
    <Computer>Nisi-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.2.0223.0</Data>
    <Data>{4C4C23D7-A640-446A-804E-B51FE840CD35}</Data>
    <Data>2013-04-03T18:13:43.506Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147678816</Data>
    <Data>PWS:Win32/Zbot.gen!AM</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>3</Data>
    <Data>Kennwortstehlprogramm</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=PWS:Win32/Zbot.gen!AM&amp;threatid=2147678816</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe;process:_pid:5292;regkey:_HKCU@S-1-5-21-4220994265-1922484629-2558833816-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\{1CBE1FBB-43BC-AD41-03C4-6F290EC84C34};runkey:_HKCU@S-1-5-21-4220994265-1922484629-2558833816-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\{1CBE1FBB-43BC-AD41-03C4-6F290EC84C34}</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>3</Data>
    <Data>%%848</Data>
    <Data>2</Data>
    <Data>%%823</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.147.967.0, AS: 1.147.967.0, NIS: 18.160.0.0</Data>
    <Data>AM: 1.1.9302.0, NIS: 2.1.8904.0</Data>
  </EventData>
</Event>
         
8
Code:
ATTFilter
Protokollname: System
Quelle:        Microsoft Antimalware
Datum:         03.04.2013 20:14:04
Ereignis-ID:   1116
Aufgabenkategorie:Keine
Ebene:         Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      Nisi-PC
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!AM&threatid=2147678816
 	Name: PWS:Win32/Zbot.gen!AM
 	ID: 2147678816
 	Schweregrad: Schwerwiegend
 	Kategorie: Kennwortstehlprogramm
 	Pfad: file:_C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe;process:_pid:5292
 	Ursprung der Erkennung: Lokaler Computer
 	Typ der Erkennung: Generisch
 	Quelle der Erkennung: System
 	Benutzer: NT-AUTORITÄT\SYSTEM
 	Prozessname: Unknown
 	Signaturversion: AV: 1.147.967.0, AS: 1.147.967.0, NIS: 18.160.0.0
 	Modulversion: AM: 1.1.9302.0, NIS: 2.1.8904.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-04-03T18:14:04.000000000Z" />
    <EventRecordID>115843</EventRecordID>
    <Channel>System</Channel>
    <Computer>Nisi-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.2.0223.0</Data>
    <Data>{1300DD2E-59AC-40C6-8F83-83E07F9644A3}</Data>
    <Data>2013-04-03T18:14:04.101Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147678816</Data>
    <Data>PWS:Win32/Zbot.gen!AM</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>3</Data>
    <Data>Kennwortstehlprogramm</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=PWS:Win32/Zbot.gen!AM&amp;threatid=2147678816</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe;process:_pid:5292</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>3</Data>
    <Data>%%848</Data>
    <Data>2</Data>
    <Data>%%823</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.147.967.0, AS: 1.147.967.0, NIS: 18.160.0.0</Data>
    <Data>AM: 1.1.9302.0, NIS: 2.1.8904.0</Data>
  </EventData>
</Event>
         
oh das war noch was
Code:
ATTFilter
Protokollname: System
Quelle:        Microsoft-Windows-Wininit
Datum:         04.04.2013 21:07:04
Ereignis-ID:   11
Aufgabenkategorie:Keine
Ebene:         Warnung
Schlüsselwörter:
Benutzer:      SYSTEM
Computer:      Nisi-PC
Beschreibung:
Benutzerdefinierte DLLs werden für jede Anwendung geladen. Der Systemadministrator sollte die Liste der DLLs prüfen, um sicherzustellen, dass sie sich auf die vertrauenswürdigen Anwendungen beziehen.
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Wininit" Guid="{206F6DEA-D3C5-4D10-BC72-989F03C8B84B}" />
    <EventID>11</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000000</Keywords>
    <TimeCreated SystemTime="2013-04-04T19:07:04.212041600Z" />
    <EventRecordID>116097</EventRecordID>
    <Correlation />
    <Execution ProcessID="672" ThreadID="708" />
    <Channel>System</Channel>
    <Computer>Nisi-PC</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="StringCount">1</Data>
    <Data Name="String">C:\Windows\system32\nvinitx.dll</Data>
  </EventData>
</Event>
         

Geändert von Malibouman (12.04.2013 um 19:33 Uhr)

Alt 12.04.2013, 19:29   #7
aharonov
/// TB-Ausbilder
 
Telekom Brief Zeus/Zbot - Standard

Telekom Brief Zeus/Zbot



Schau bitte mal, ob du unter C:\ProgramData\Microsoft\Microsoft Antimalware\Support oder unter C:\ProgramData\Microsoft\Microsoft Security Essentials\Support irgendeine Angabe findest, welche diesen Fund dokumentiert.
__________________
cheers,
Leo

Alt 12.04.2013, 19:40   #8
Malibouman
 
Telekom Brief Zeus/Zbot - Standard

Telekom Brief Zeus/Zbot



Bringen die logs aus der Verwaltung nichts?
Da sind jede Menge Warnungen

Hab das gefühl als käm das von ner CD? weil D ist das cd laufwerk!

hier ist ne Übersicht
Code:
ATTFilter
2013-03-25T16:31:26.194Z Service started - Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094)
2013-03-25T16:31:26.790Z Version: Product 4.2.223.0 Service 4.2.223.0 Engine 0.0.0.0 AS 0.0.0.0 AV 0.0.0.0
2013-03-25T16:36:14.534Z Version: Product 4.2.223.0 Service 4.2.223.0 Engine 1.1.9302.0 AS 1.147.421.0 AV 1.147.421.0
2013-04-02T11:42:44.713Z Service started - Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094)
2013-04-02T11:43:06.152Z Version: Product 4.2.223.0 Service 4.2.223.0 Engine 1.1.9302.0 AS 1.147.502.0 AV 1.147.502.0
2013-04-02T11:49:52.099Z Version: Product 4.2.223.0 Service 4.2.223.0 Engine 1.1.9302.0 AS 1.147.889.0 AV 1.147.889.0
2013-04-02T12:08:20.397Z DETECTION TrojanDownloader:Win32/Istbar.M file:D:\fotos en cliparts.zip->(Zip)->(UPX)
2013-04-02T12:08:23.489Z DETECTION TrojanDownloader:Win32/Istbar.M file:D:\fotos en cliparts.zip->YSB_toolBar.exe->(UPX)
2013-04-02T12:08:50.026Z DETECTION TrojanDownloader:Win32/Istbar.M file:D:\fotos en cliparts.zip->(Zip)->(UPX)
2013-04-02T12:08:55.062Z DETECTION TrojanDownloader:Win32/Istbar.M file:D:\fotos en cliparts.zip->YSB_toolBar.exe->(UPX)
2013-04-03T18:13:26.101Z Version: Product 4.2.223.0 Service 4.2.223.0 Engine 1.1.9302.0 AS 1.147.967.0 AV 1.147.967.0
2013-04-03T18:13:45.004Z DETECTION PWS:Win32/Zbot.gen!AM file:C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe
2013-04-03T18:14:04.103Z DETECTION PWS:Win32/Zbot.gen!AM file:C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe
2013-04-04T18:21:44.095Z Version: Product 4.2.223.0 Service 4.2.223.0 Engine 1.1.9302.0 AS 1.147.1051.0 AV 1.147.1051.0
2013-04-04T19:06:15.654Z Service stopped with exit code 0x0
2013-04-04T19:06:59.376Z Service started - Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094)
2013-04-04T19:07:01.716Z Version: Product 4.2.223.0 Service 4.2.223.0 Engine 1.1.9302.0 AS 1.147.1051.0 AV 1.147.1051.0
2013-04-06T18:36:32.680Z Service started - Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094)
2013-04-06T18:38:23.091Z Version: Product 4.2.223.0 Service 4.2.223.0 Engine 1.1.9302.0 AS 1.147.1051.0 AV 1.147.1051.0
2013-04-07T09:03:42.805Z Service started - Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094)
2013-04-07T09:03:46.944Z Version: Product 4.2.223.0 Service 4.2.223.0 Engine 1.1.9302.0 AS 1.147.1230.0 AV 1.147.1230.0
2013-04-11T01:45:23.756Z Service started - Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094)
2013-04-11T01:45:29.727Z Version: Product 4.2.223.0 Service 4.2.223.0 Engine 1.1.9302.0 AS 1.147.1550.0 AV 1.147.1550.0
2013-04-11T07:37:34.091Z Service started - Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094)
2013-04-11T07:37:39.028Z Version: Product 4.2.223.0 Service 4.2.223.0 Engine 1.1.9302.0 AS 1.147.1550.0 AV 1.147.1550.0
2013-04-11T22:01:02.288Z Service started - Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094)
2013-04-11T22:01:04.456Z Version: Product 4.2.223.0 Service 4.2.223.0 Engine 1.1.9302.0 AS 1.147.1550.0 AV 1.147.1550.0
2013-04-11T22:42:56.311Z Service started - Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094)
2013-04-11T22:43:19.530Z Version: Product 4.2.223.0 Service 4.2.223.0 Engine 1.1.9302.0 AS 1.147.1550.0 AV 1.147.1550.0
2013-04-12T17:17:13.894Z Service started - Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094)
2013-04-12T17:17:38.349Z Version: Product 4.2.223.0 Service 4.2.223.0 Engine 1.1.9302.0 AS 1.147.1550.0 AV 1.147.1550.0
         
Das der Scan
Code:
ATTFilter
--------------------------------------------------------------------------------
Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094) Service Log
Started On ‎03‎-‎25‎-‎2013 17:31:26
************************************************************
2013-03-25T16:31:26.197Z Trace session started - MpWppTracing-03252013-173126-00000003-ffffffff.bin**********Cache stats************
No. Of buckets -> 12800
Each Bucket has max capacity of -> 1 entries
number of Entries is 0
Number of invalid entries is 0
Number of Inserts issued is 0
Number of replaces issued is 0
Number of Insert failures is 0
Number of lookups is 0
Number of misses is 0
Number of false fast lookups is 0
Number of invalidations is 0
Number of maintenance invalidations is 0
Current File Size is 311296
Journal ID = 1ccaadde6321faa
Trusted image state = 1 USN = 0
Setup boot count = 0

2013-03-25T16:31:26.607Z Verifying RTP plugin...
2013-03-25T16:31:26.621Z verified!
2013-03-25T16:31:26.727Z Verifying Nis plugin...
2013-03-25T16:31:26.743Z verified!
2013-03-25T16:31:26.746Z Initializing Nis plugin state...
2013-03-25T16:31:26.746Z Nis initialized!
2013-03-25T16:31:26.747Z Loading engine...
2013-03-25T16:31:26.748Z CSignatureStatus: changed to DUE_REPORTED
2013-03-25T16:31:26.749Z loaded!
2013-03-25T16:31:26.756Z Verifying license file...
2013-03-25T16:31:26.767Z verified!
2013-03-25T16:31:26.767Z Product supports installmode: 1
2013-03-25T16:31:26.789Z Task(-GenuineCheck -RestrictPrivileges) launched
2013-03-25T16:31:26.790Z Auto purger task is scheduled to run in 600000(ms) from now with period 86400000(ms)
Product Version: 4.2.223.0
Service Version: 4.2.223.0
Engine Version: 0.0.0.0
AS Signature Version: 0.0.0.0
AV Signature Version: 0.0.0.0
************************************************************
2013-03-25T16:31:26.975Z WAT report: machine genuine, state(1) error(0x0)
2013-03-25T16:31:54.214Z Task(SignaturesUpdateService -UnmanagedUpdate) launched
2013-03-25T16:32:26.791Z Calling MpUpdateStart with update options = 257
2013-03-25T16:33:32.375Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(0)
2013-03-25T16:33:32.383Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(0)
2013-03-25T16:36:11.817Z Verifying engine and signature files (source: 0) ...
2013-03-25T16:36:12.134Z verified!
2013-03-25T16:36:14.507Z Initializing SQM in engine...
2013-03-25T16:36:14.507Z SQM initialized in the engine successfully
2013-03-25T16:36:14.531Z CSignatureStatus: back to good
2013-03-25T16:36:14.531Z Initializing RTP plugin state...
2013-03-25T16:36:14.531Z initialized!
****************************RTP Perf Log***************************
RTP Start:N/A
Last Perf:N/A
First RTP Scan:N/A
Plugin States:  AV:2  AS:2  RTP:2  OA:2  BM:2
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:35
  Async:8
Cache Flushes:
  RTP:0
System File Cache:
  Hits:0
  Misses:0
BM Queue:0,0,0
  Proc:0,0,0
  File:0,0,0
Plugin Queue:0,0,0
  Threat:0,0,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:1,1,0
  SetEngine:1,1,0
  SetState:0,0,0
  SetUser:0,0,0
  Config:0,0,0
  ProcExcl:0,0,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:0
  Pending:0
  RegSize:0
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:20968
  AsyncQCurrent:0
  BMFlags:0
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:7
  TotalStreamCon:4246
  TotalBitmap:81760
  NTFS Cache Statistics:
   TotalMisses:10354
   TotalHits:0
   InstanceCacheHits:0
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

Signature updated on ‎03‎-‎25‎-‎2013 17:36:14
Product Version: 4.2.223.0
Service Version: 4.2.223.0
Engine Version: 1.1.9302.0
AS Signature Version: 1.147.421.0
AV Signature Version: 1.147.421.0
************************************************************
2013-03-25T16:36:14.536Z Process scan (postsignatureupdatescan) started.
Signature updated via MicrosoftUpdateServer on ‎03‎-‎25‎-‎2013 17:36:15
************************************************************
2013-03-25T16:36:16.563Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-03-25T16:36:16.566Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-03-25T16:36:18.575Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-03-25T16:36:18.577Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-03-25T16:36:20.585Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-03-25T16:36:20.588Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-03-25T16:36:22.596Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-03-25T16:36:22.599Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-03-25T16:36:24.609Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-03-25T16:36:24.612Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-03-25T16:36:26.620Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-03-25T16:36:26.623Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-03-25T16:36:26.798Z Task(SignaturesUpdateService -ScheduleJob -UnmanagedUpdate) launched
2013-03-25T16:36:28.630Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-03-25T16:36:28.633Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-03-25T16:36:30.639Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-03-25T16:36:30.642Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-03-25T16:41:26.791Z AutoPurgeWorker triggered with dwWork=0x3
2013-03-25T16:41:26.791Z Product supports installmode: 1
2013-03-25T16:41:26.794Z Task(-GenuineCheck -RestrictPrivileges) launched
2013-03-25T16:41:26.803Z Detection State: Finished(0) Failed(0) CriticalFailed(0) Additional Actions(0)
--------------------------------------------------------------------------------
Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094) Service Log
Started On ‎04‎-‎02‎-‎2013 13:42:44
************************************************************
2013-04-02T11:42:44.776Z Trace session started - MpWppTracing-04022013-134244-00000003-ffffffff.bin**********Cache stats************
No. Of buckets -> 12800
Each Bucket has max capacity of -> 1 entries
number of Entries is 7607
Number of invalid entries is 0
Number of Inserts issued is 7630
Number of replaces issued is 0
Number of Insert failures is 3
Number of lookups is 65672
Number of misses is 54114
Number of false fast lookups is 2795
Number of invalidations is 20
Number of maintenance invalidations is 0
Current File Size is 311296
Journal ID = 1ccaadde6321faa
Trusted image state = 1 USN = 0
Setup boot count = 0

2013-04-02T11:42:45.852Z Verifying RTP plugin...
2013-04-02T11:42:45.852Z verified!
2013-04-02T11:42:47.927Z Verifying Nis plugin...
2013-04-02T11:42:47.927Z verified!
2013-04-02T11:42:47.958Z Initializing Nis plugin state...
2013-04-02T11:42:47.958Z Nis initialized!
2013-04-02T11:42:47.958Z Loading engine...
2013-04-02T11:42:50.407Z Verifying engine and signature files (source: 1) ...
2013-04-02T11:42:50.407Z verified!
2013-04-02T11:43:05.434Z Initializing SQM in engine...
2013-04-02T11:43:05.434Z SQM initialized in the engine successfully
2013-04-02T11:43:05.575Z CSignatureStatus: changed to DUE_TRY_1
2013-04-02T11:43:05.637Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) launched
2013-04-02T11:43:05.637Z CSignatureStatus: UpdateWaitTimer #1 scheduled
2013-04-02T11:43:05.684Z Initializing RTP plugin state...
2013-04-02T11:43:05.684Z initialized!
****************************RTP Perf Log***************************
RTP Start:N/A
Last Perf:N/A
First RTP Scan:N/A
Plugin States:  AV:2  AS:2  RTP:2  OA:2  BM:2
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:35
  Async:8
Cache Flushes:
  RTP:0
System File Cache:
  Hits:0
  Misses:0
BM Queue:0,0,0
  Proc:0,0,0
  File:0,0,0
Plugin Queue:0,0,0
  Threat:0,0,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:1,1,0
  SetEngine:1,1,0
  SetState:0,0,0
  SetUser:0,0,0
  Config:0,0,0
  ProcExcl:0,0,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:0
  Pending:0
  RegSize:0
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:570
  AsyncQCurrent:0
  BMFlags:0
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:4
  TotalStreamCon:1066
  TotalBitmap:81760
  NTFS Cache Statistics:
   TotalMisses:2596
   TotalHits:0
   InstanceCacheHits:0
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

2013-04-02T11:43:05.684Z loaded!
2013-04-02T11:43:05.871Z Verifying license file...
2013-04-02T11:43:05.871Z verified!
2013-04-02T11:43:05.871Z Product supports installmode: 1
2013-04-02T11:43:05.902Z Task(-GenuineCheck -RestrictPrivileges) launched
2013-04-02T11:43:06.152Z Auto purger task is scheduled to run in 600000(ms) from now with period 86400000(ms)
Product Version: 4.2.223.0
Service Version: 4.2.223.0
Engine Version: 1.1.9302.0
AS Signature Version: 1.147.502.0
AV Signature Version: 1.147.502.0
************************************************************
2013-04-02T11:43:06.245Z Task(SignaturesUpdateService -ScheduleJob -UnmanagedUpdate) launched
2013-04-02T11:43:07.119Z WAT report: machine genuine, state(1) error(0x0)
2013-04-02T11:43:58.381Z Process scan (poststartupscan) started.
2013-04-02T11:44:19.472Z Process scan (poststartupscan) completed.
2013-04-02T11:47:59.193Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-02T11:47:59.197Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-02T11:48:15.867Z Verifying engine and signature files (source: 0) ...
2013-04-02T11:49:34.507Z verified!
2013-04-02T11:49:51.974Z Initializing SQM in engine...
2013-04-02T11:49:51.975Z SQM initialized in the engine successfully
2013-04-02T11:49:52.087Z CSignatureStatus: back to good
2013-04-02T11:49:52.087Z Initializing RTP plugin state...
2013-04-02T11:49:52.088Z initialized!
****************************RTP Perf Log***************************
RTP Start:‎04‎-‎02‎-‎2013 13:43:05
Last Perf:‎04‎-‎02‎-‎2013 13:43:05
First RTP Scan:‎04‎-‎02‎-‎2013 13:43:07
Plugin States:  AV:1  AS:1  RTP:1  OA:1  BM:1
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:35
  Async:8
Cache Flushes:
  RTP:1
System File Cache:
  Hits:1431
  Misses:6430
BM Queue:1,508,0
  Proc:0,160,0
  File:1,508,0
Plugin Queue:0,0,0
  Threat:0,0,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:1,4,0
  SetEngine:1,1,0
  SetState:0,1,0
  SetUser:0,0,0
  Config:0,1,0
  ProcExcl:0,1,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:8666
  Pending:0
  RegSize:23812
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:835684
  AsyncQCurrent:0
  BMFlags:3
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:8
  TotalStreamCon:8089
  TotalBitmap:81760
  NTFS Cache Statistics:
   TotalMisses:10920
   TotalHits:22710
   InstanceCacheHits:15
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

Signature updated on ‎04‎-‎02‎-‎2013 13:49:52
Product Version: 4.2.223.0
Service Version: 4.2.223.0
Engine Version: 1.1.9302.0
AS Signature Version: 1.147.889.0
AV Signature Version: 1.147.889.0
************************************************************
Signature updated via MicrosoftUpdateServer on ‎04‎-‎02‎-‎2013 13:49:52
************************************************************
2013-04-02T11:49:54.108Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-02T11:49:54.112Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-02T11:50:00.607Z Task(SpyNetService -RestrictPrivileges -AccessKey BC6C5997-C616-7D27-B2BB-7282A320DFCE) launched
2013-04-02T11:52:08.030Z AutoPurgeWorker triggered with dwWork=0x3
2013-04-02T11:52:08.030Z Product supports installmode: 1
2013-04-02T11:52:08.032Z Task(-GenuineCheck -RestrictPrivileges) launched
2013-04-02T11:52:08.105Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 86400000(ms)
2013-04-02T11:52:08.105Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 44420053(ms)
2013-04-02T11:52:08.114Z WAT report: machine genuine, state(1) error(0x0)
2013-04-02T11:52:08.952Z Detection State: Finished(0) Failed(0) CriticalFailed(0) Additional Actions(0)
2013-04-02T11:52:08.990Z Trace buffers written: 13, events lost: 0, buffers lost: 0, days: 0
2013-04-02T11:52:08.991Z Task(-UploadSQM -RestrictPrivileges) launched
2013-04-02T11:53:21.353Z Process scan (postsignatureupdatescan) started.
2013-04-02T11:53:32.539Z Process scan (postsignatureupdatescan) completed.
2013-04-02T12:08:14.191Z Task(SpyNetService -RestrictPrivileges -AccessKey 56C48ABA-DCBD-907E-89C2-CA7F8D96995E) launched
Begin Resource Scan
Scan ID:{9AB50E4B-8474-4CFC-81E3-D04F90FA71C0}
Scan Source:3
Start Time:‎04‎-‎02‎-‎2013 14:08:10
End Time:‎04‎-‎02‎-‎2013 14:08:20
Explicit resource to scan
Resource Schema:file
Resource Path:D:\fotos en cliparts.zip->(Zip)->(UPX)
Result Count:1
Threat Name:TrojanDownloader:Win32/Istbar.M
ID:2147610047
Severity:5
Number of Resources:2
Resource Schema:file
Resource Path:D:\fotos en cliparts.zip->(Zip)->(UPX)
Extended Info:134656273209029
Resource Schema:containerfile
Resource Path:D:\fotos en cliparts.zip
Extended Info:0
End Scan
************************************************************

2013-04-02T12:08:20.384Z DETECTIONEVENT TrojanDownloader:Win32/Istbar.M file:D:\fotos en cliparts.zip->(Zip)->(UPX);
2013-04-02T12:08:20.397Z DETECTION_ADD TrojanDownloader:Win32/Istbar.M file:D:\fotos en cliparts.zip->(Zip)->(UPX)
2013-04-02T12:08:23.489Z DETECTION_MERGE TrojanDownloader:Win32/Istbar.M containerfile:D:\fotos en cliparts.zip
2013-04-02T12:08:23.489Z DETECTION_MERGE TrojanDownloader:Win32/Istbar.M file:D:\fotos en cliparts.zip->YSB_toolBar.exe->(UPX)
2013-04-02T12:08:23.490Z DETECTIONEVENT TrojanDownloader:Win32/Istbar.M containerfile:D:\fotos en cliparts.zip;file:D:\fotos en cliparts.zip->(Zip)->(UPX);file:D:\fotos en cliparts.zip->YSB_toolBar.exe->(UPX);
Begin Resource Scan
Scan ID:{29BED143-6920-424C-B0DF-891A0465DD9A}
Scan Source:6
Start Time:‎04‎-‎02‎-‎2013 14:08:20
End Time:‎04‎-‎02‎-‎2013 14:08:23
Explicit resource to scan
Resource Schema:file
Resource Path:D:\fotos en cliparts.zip->(Zip)->(UPX)
Result Count:1
Threat Name:TrojanDownloader:Win32/Istbar.M
ID:2147610047
Severity:5
Number of Resources:2
Resource Schema:file
Resource Path:D:\fotos en cliparts.zip->YSB_toolBar.exe->(UPX)
Extended Info:134656273209029
Resource Schema:containerfile
Resource Path:D:\fotos en cliparts.zip
Extended Info:0
End Scan
************************************************************

2013-04-02T12:08:25.499Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-02T12:08:25.502Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
Begin Resource Scan
Scan ID:{0A8C0F4F-ABDB-4D62-89A8-0410B653E036}
Scan Source:6
Start Time:‎04‎-‎02‎-‎2013 14:08:23
End Time:‎04‎-‎02‎-‎2013 14:08:35
Explicit resource to scan
Resource Schema:containerfile
Resource Path:D:\fotos en cliparts.zip
Explicit resource to scan
Resource Schema:file
Resource Path:D:\fotos en cliparts.zip->(Zip)->(UPX)
Explicit resource to scan
Resource Schema:file
Resource Path:D:\fotos en cliparts.zip->YSB_toolBar.exe->(UPX)
Result Count:1
Threat Name:TrojanDownloader:Win32/Istbar.M
ID:2147610047
Severity:5
Number of Resources:2
Resource Schema:file
Resource Path:D:\fotos en cliparts.zip->YSB_toolBar.exe->(UPX)
Extended Info:134656273209029
Resource Schema:containerfile
Resource Path:D:\fotos en cliparts.zip
Extended Info:0
End Scan
************************************************************

Beginning threat actions
Start time:‎04‎-‎02‎-‎2013 14:08:36
Threat Name:TrojanDownloader:Win32/Istbar.M
Threat ID:2147610047
Action:quarantine
Resource action complete:Quarantine
Schema:file
Path:\\?\D:\fotos en cliparts.zip->YSB_toolBar.exe->(UPX)
Threat ID:2147610047
Resource refcount:1
Result:0
Resource action complete:Quarantine
Schema:containerfile
Path:\\?\D:\fotos en cliparts.zip
Threat ID:2147610047
Resource refcount:1
Result:0
File to act on SHA1:879F91DCAFEDA5C317DFF8408610768288404C7A
File owner:\Jeder
!ERROR
Action clean/remove failed on file:\\?\D:\fotos en cliparts.zip->YSB_toolBar.exe->(UPX)
Error code:5
!ERROR
Resource action complete:Removal
Schema:file
Path:\\?\D:\fotos en cliparts.zip->YSB_toolBar.exe->(UPX)
Threat ID:2147610047
Resource refcount:1
Result:5
!ERROR
Action restore failed on file:\\?\D:\fotos en cliparts.zip
Error code:5
!ERROR
Restored resource
Schema:file
Path:\\?\D:\fotos en cliparts.zip
Result:5
!ERROR
Finished threat ID:2147610047
Threat result:5
Threat status flags:65537
Finished threat actions
End time:‎04‎-‎02‎-‎2013 14:08:39
Result:0
DSS Timeout:Received results after timeout
2013-04-02T12:08:41.793Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-02T12:08:41.804Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
Begin Resource Scan
Scan ID:{AD816654-7A4F-41D2-9826-FA861B8AD0E7}
Scan Source:3
Start Time:‎04‎-‎02‎-‎2013 14:08:46
End Time:‎04‎-‎02‎-‎2013 14:08:50
Explicit resource to scan
Resource Schema:file
Resource Path:D:\fotos en cliparts.zip->(Zip)->(UPX)
Result Count:1
Threat Name:TrojanDownloader:Win32/Istbar.M
ID:2147610047
Severity:5
Number of Resources:2
Resource Schema:file
Resource Path:D:\fotos en cliparts.zip->(Zip)->(UPX)
Extended Info:134656273209029
Resource Schema:containerfile
Resource Path:D:\fotos en cliparts.zip
Extended Info:0
End Scan
************************************************************

2013-04-02T12:08:50.025Z DETECTIONEVENT TrojanDownloader:Win32/Istbar.M file:D:\fotos en cliparts.zip->(Zip)->(UPX);
2013-04-02T12:08:50.025Z DETECTION_ADD TrojanDownloader:Win32/Istbar.M file:D:\fotos en cliparts.zip->(Zip)->(UPX)
2013-04-02T12:08:55.062Z DETECTION_MERGE TrojanDownloader:Win32/Istbar.M containerfile:D:\fotos en cliparts.zip
2013-04-02T12:08:55.062Z DETECTION_MERGE TrojanDownloader:Win32/Istbar.M file:D:\fotos en cliparts.zip->YSB_toolBar.exe->(UPX)
2013-04-02T12:08:55.063Z DETECTIONEVENT TrojanDownloader:Win32/Istbar.M containerfile:D:\fotos en cliparts.zip;file:D:\fotos en cliparts.zip->(Zip)->(UPX);file:D:\fotos en cliparts.zip->YSB_toolBar.exe->(UPX);
Begin Resource Scan
Scan ID:{9A7AC95E-150D-43FC-A42A-D8CAE348FE2F}
Scan Source:6
Start Time:‎04‎-‎02‎-‎2013 14:08:51
End Time:‎04‎-‎02‎-‎2013 14:08:55
Explicit resource to scan
Resource Schema:file
Resource Path:D:\fotos en cliparts.zip->(Zip)->(UPX)
Result Count:1
Threat Name:TrojanDownloader:Win32/Istbar.M
ID:2147610047
Severity:5
Number of Resources:2
Resource Schema:file
Resource Path:D:\fotos en cliparts.zip->YSB_toolBar.exe->(UPX)
Extended Info:134656273209029
Resource Schema:containerfile
Resource Path:D:\fotos en cliparts.zip
Extended Info:0
End Scan
************************************************************

2013-04-02T12:08:57.071Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-02T12:08:57.074Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
Begin Resource Scan
Scan ID:{75F28BB6-7A4F-47BB-95B6-71BDB95270F9}
Scan Source:6
Start Time:‎04‎-‎02‎-‎2013 14:08:55
End Time:‎04‎-‎02‎-‎2013 14:09:05
Explicit resource to scan
Resource Schema:containerfile
Resource Path:D:\fotos en cliparts.zip
Explicit resource to scan
Resource Schema:file
Resource Path:D:\fotos en cliparts.zip->(Zip)->(UPX)
Explicit resource to scan
Resource Schema:file
Resource Path:D:\fotos en cliparts.zip->YSB_toolBar.exe->(UPX)
Result Count:1
Threat Name:TrojanDownloader:Win32/Istbar.M
ID:2147610047
Severity:5
Number of Resources:2
Resource Schema:file
Resource Path:D:\fotos en cliparts.zip->YSB_toolBar.exe->(UPX)
Extended Info:134656273209029
Resource Schema:containerfile
Resource Path:D:\fotos en cliparts.zip
Extended Info:0
End Scan
************************************************************

Beginning threat actions
Start time:‎04‎-‎02‎-‎2013 14:09:16
Threat Name:TrojanDownloader:Win32/Istbar.M
Threat ID:2147610047
Action:quarantine
!ERROR
Resource action complete:Quarantine
Schema:file
Path:\\?\D:\fotos en cliparts.zip->YSB_toolBar.exe->(UPX)
Threat ID:2147610047
Resource refcount:1
Result:2
!ERROR
Finished threat ID:2147610047
Threat result:2
Threat status flags:1
Finished threat actions
End time:‎04‎-‎02‎-‎2013 14:09:16
Result:0
DSS Timeout:Received results after timeout
2013-04-02T12:09:18.081Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-02T12:09:18.093Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-02T13:04:42.950Z AutoPurgeWorker triggered with dwWork=0x100002
2013-04-02T13:04:42.953Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 40004741(ms)
2013-04-03T07:04:40.504Z Timer is triggered for lost scheduled jobs
2013-04-03T07:04:40.504Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 61607190(ms)
2013-04-03T07:24:28.674Z AutoPurgeWorker triggered with dwWork=0x100002
2013-04-03T07:24:28.741Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 59198197(ms)
2013-04-03T08:53:21.027Z AutoPurgeWorker triggered with dwWork=0x100002
2013-04-03T08:53:21.029Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 54698799(ms)
2013-04-03T10:11:03.231Z Task(SpyNetService -RestrictPrivileges -AccessKey 80E8B0E7-EFD9-5FEB-538F-AC2E489FD6C6) launched
Begin Resource Scan
Scan ID:{755B8498-43AF-4C46-8805-574B7763E858}
Scan Source:7
Start Time:‎04‎-‎03‎-‎2013 12:11:00
End Time:‎04‎-‎03‎-‎2013 12:11:04
Explicit resource to scan
Resource Schema:queryfilertsig
Resource Path:C:\Users\Nisi\AppData\Local\Mozilla\Firefox\Profiles\z7sfb9dg.default\Cache\F\2E\FCEAFd01
Result Count:1
Unknown File
Identifier:4201750934272868350
Number of Resources:1
Resource Schema:queryfilertsig
Resource Path:C:\Users\Nisi\AppData\Local\Mozilla\Firefox\Profiles\z7sfb9dg.default\Cache\F\2E\FCEAFd01
Extended Info:5864887518438
End Scan
************************************************************

DSS Timeout:Received results after timeout
2013-04-03T10:11:11.909Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-03T10:11:11.912Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)

BEGIN BM detection
GUID:{7D6FAC2A-42CB-ADF0-E53A62EA9D8D02E6}
DetectionName:Behavior:Win32/Zbot_Installation
SignatureID:231667056884561
ProcessID:4248
SessionID:1
CreationTime:‎04‎-‎03‎-‎2013 12:11:27
ImagePath:C:\Users\Nisi\AppData\Local\Temp\81019493.exe
END BM detection


BEGIN BM detection
GUID:{CC1BD508-D4E6-7E26-9DE76EF7DDA88A53}
DetectionName:Behavior:Win32/Zbot_Installation
SignatureID:231667056884561
ProcessID:2268
SessionID:1
CreationTime:‎04‎-‎03‎-‎2013 12:11:27
ImagePath:C:\Users\Nisi\AppData\Local\Temp\81021194.exe
END BM detection

DSS Timeout:Received results after timeout
DSS Timeout:Received results after timeout
2013-04-03T10:11:47.125Z DETECTIONEVENT PWS:Win32/Fareit.gen!I process:pid:5484;
2013-04-03T10:11:47.127Z DETECTION_ADD PWS:Win32/Fareit.gen!I process:pid:5484
Begin Resource Scan
Scan ID:{4D770C6F-7CB2-4D8F-B834-06EA3B09D56D}
Scan Source:8
Start Time:‎04‎-‎03‎-‎2013 12:11:17
End Time:‎04‎-‎03‎-‎2013 12:11:47
Explicit resource to scan
Resource Schema:processmemoryscan
Resource Path:pid:5484
Result Count:1
Threat Name:PWS:Win32/Fareit.gen!I
ID:2147676925
Severity:5
Number of Resources:1
Resource Schema:process
Resource Path:pid:5484
Extended Info:42426291206359
End Scan
************************************************************

DSS Timeout:Received results after timeout
2013-04-03T10:11:54.165Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-03T10:11:54.175Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-03T10:11:56.200Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-03T10:11:56.215Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-03T10:46:33.904Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-03T10:46:33.914Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-03T18:12:09.791Z AutoPurgeWorker triggered with dwWork=0x100002
2013-04-03T18:12:09.793Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) launched
2013-04-03T18:12:09.794Z Run lost scheduled job: SignatureUpdate -ScheduleJob -RestrictPrivileges
2013-04-03T18:12:09.917Z Task(SignaturesUpdateService -ScheduleJob -UnmanagedUpdate) launched
2013-04-03T18:12:10.146Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 20647782(ms)
2013-04-03T18:13:14.019Z Verifying engine and signature files (source: 0) ...
2013-04-03T18:13:15.614Z verified!
2013-04-03T18:13:25.960Z Initializing SQM in engine...
2013-04-03T18:13:25.961Z SQM initialized in the engine successfully
2013-04-03T18:13:26.099Z Initializing RTP plugin state...
2013-04-03T18:13:26.099Z initialized!
****************************RTP Perf Log***************************
RTP Start:‎04‎-‎02‎-‎2013 13:49:52
Last Perf:‎04‎-‎02‎-‎2013 13:49:52
First RTP Scan:‎04‎-‎02‎-‎2013 13:49:52
Plugin States:  AV:1  AS:1  RTP:1  OA:1  BM:1
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:35
  Async:8
Cache Flushes:
  RTP:1
System File Cache:
  Hits:1440
  Misses:2485
BM Queue:0,320,0
  Proc:0,307,0
  File:0,241,0
Plugin Queue:0,1,0
  Threat:0,1,0
  Susp:0,1,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:1,2,0
  SetEngine:1,1,0
  SetState:0,1,0
  SetUser:0,0,0
  Config:0,1,0
  ProcExcl:0,1,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:28984
  Pending:0
  RegSize:28516
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:25722648
  AsyncQCurrent:0
  BMFlags:3
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:8
  TotalStreamCon:2928
  TotalBitmap:81760
  NTFS Cache Statistics:
   TotalMisses:16043
   TotalHits:117514
   InstanceCacheHits:2110
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

Signature updated on ‎04‎-‎03‎-‎2013 20:13:26
Product Version: 4.2.223.0
Service Version: 4.2.223.0
Engine Version: 1.1.9302.0
AS Signature Version: 1.147.967.0
AV Signature Version: 1.147.967.0
************************************************************
2013-04-03T18:13:26.103Z Process scan (postsignatureupdatescan) started.
Signature updated via MicrosoftUpdateServer on ‎04‎-‎03‎-‎2013 20:13:26
************************************************************
2013-04-03T18:13:28.130Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-03T18:13:28.133Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-03T18:13:44.008Z Task(SpyNetService -RestrictPrivileges -AccessKey 91266E4A-D275-A7EF-BE34-DD4A458AEC93) launched
2013-04-03T18:13:44.991Z DETECTIONEVENT PWS:Win32/Zbot.gen!AM file:C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe;process:pid:5292;
2013-04-03T18:13:44.993Z DETECTION_ADD PWS:Win32/Zbot.gen!AM file:C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe
2013-04-03T18:13:45.004Z DETECTION_ADD PWS:Win32/Zbot.gen!AM process:pid:5292
Begin Resource Scan
Scan ID:{193CEFEF-DC75-4652-AD28-4517271ECA10}
Scan Source:1
Start Time:‎04‎-‎03‎-‎2013 20:13:26
End Time:‎04‎-‎03‎-‎2013 20:13:44
Explicit resource to scan
Resource Schema:postsignatureupdatescan
Resource Path:
Result Count:1
Threat Name:PWS:Win32/Zbot.gen!AM
ID:2147678816
Severity:5
Number of Resources:2
Resource Schema:process
Resource Path:pid:5292
Extended Info:0
Resource Schema:file
Resource Path:C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe
Extended Info:247908473721210
End Scan
************************************************************

2013-04-03T18:13:45.005Z Process scan (postsignatureupdatescan) completed.
Begin Resource Scan
Scan ID:{4EE205D0-E57C-49CF-BAD0-3D2E6C88B373}
Scan Source:6
Start Time:‎04‎-‎03‎-‎2013 20:13:48
End Time:‎04‎-‎03‎-‎2013 20:13:50
Explicit resource to scan
Resource Schema:file
Resource Path:C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe
Explicit resource to scan
Resource Schema:process
Resource Path:pid:5292
Result Count:1
Threat Name:PWS:Win32/Zbot.gen!AM
ID:2147678816
Severity:5
Number of Resources:2
Resource Schema:process
Resource Path:pid:5292
Extended Info:0
Resource Schema:file
Resource Path:C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe
Extended Info:247908473721210
End Scan
************************************************************

2013-04-03T18:13:52.341Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-03T18:13:52.344Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-03T18:14:00.677Z DETECTION_MERGE PWS:Win32/Zbot.gen!AM regkey:HKCU@S-1-5-21-4220994265-1922484629-2558833816-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\{1CBE1FBB-43BC-AD41-03C4-6F290EC84C34}
2013-04-03T18:14:00.677Z DETECTION_MERGE PWS:Win32/Zbot.gen!AM runkey:HKCU@S-1-5-21-4220994265-1922484629-2558833816-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\{1CBE1FBB-43BC-AD41-03C4-6F290EC84C34}
2013-04-03T18:14:00.678Z DETECTIONEVENT PWS:Win32/Zbot.gen!AM file:C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe;process:pid:5292;regkey:HKCU@S-1-5-21-4220994265-1922484629-2558833816-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\{1CBE1FBB-43BC-AD41-03C4-6F290EC84C34};runkey:HKCU@S-1-5-21-4220994265-1922484629-2558833816-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\{1CBE1FBB-43BC-AD41-03C4-6F290EC84C34};
Begin Resource Scan
Scan ID:{75B24FCE-FB1F-4AD2-8EB8-3AD8E4396A8F}
Scan Source:6
Start Time:‎04‎-‎03‎-‎2013 20:13:50
End Time:‎04‎-‎03‎-‎2013 20:14:00
Explicit resource to scan
Resource Schema:file
Resource Path:C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe
Explicit resource to scan
Resource Schema:process
Resource Path:pid:5292
Result Count:1
Threat Name:PWS:Win32/Zbot.gen!AM
ID:2147678816
Severity:5
Number of Resources:4
Resource Schema:process
Resource Path:pid:5292
Extended Info:0
Resource Schema:regkey
Resource Path:HKCU@S-1-5-21-4220994265-1922484629-2558833816-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\{1CBE1FBB-43BC-AD41-03C4-6F290EC84C34}
Extended Info:0
Resource Schema:runkey
Resource Path:HKCU@S-1-5-21-4220994265-1922484629-2558833816-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\{1CBE1FBB-43BC-AD41-03C4-6F290EC84C34}
Extended Info:0
Resource Schema:file
Resource Path:C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe
Extended Info:247908473721210
End Scan
************************************************************

DSS Timeout:Received results after timeout
2013-04-03T18:14:04.087Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-03T18:14:04.090Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
Begin Resource Scan
Scan ID:{017DAE42-527F-4B1C-A440-191D13B6A7B7}
Scan Source:10
Start Time:‎04‎-‎03‎-‎2013 20:14:02
End Time:‎04‎-‎03‎-‎2013 20:14:04
Explicit resource to scan
Resource Schema:file
Resource Path:C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe
Explicit resource to scan
Resource Schema:process
Resource Path:pid:5292
Explicit resource to scan
Resource Schema:regkey
Resource Path:HKCU@S-1-5-21-4220994265-1922484629-2558833816-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\{1CBE1FBB-43BC-AD41-03C4-6F290EC84C34}
Explicit resource to scan
Resource Schema:runkey
Resource Path:HKCU@S-1-5-21-4220994265-1922484629-2558833816-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\{1CBE1FBB-43BC-AD41-03C4-6F290EC84C34}
Result Count:1
Threat Name:PWS:Win32/Zbot.gen!AM
ID:2147678816
Severity:5
Number of Resources:2
Resource Schema:process
Resource Path:pid:5292
Extended Info:0
Resource Schema:file
Resource Path:C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe
Extended Info:247908473721210
End Scan
************************************************************

2013-04-03T18:14:04.102Z DETECTIONEVENT PWS:Win32/Zbot.gen!AM file:C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe;process:pid:5292;
2013-04-03T18:14:04.103Z DETECTION_ADD PWS:Win32/Zbot.gen!AM file:C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe
2013-04-03T18:14:04.103Z DETECTION_ADD PWS:Win32/Zbot.gen!AM process:pid:5292
Beginning threat actions
Start time:‎04‎-‎03‎-‎2013 20:14:01
Threat Name:PWS:Win32/Zbot.gen!AM
Threat ID:2147678816
Action:quarantine
Action schedule successful on process:pid:5292
PID:5292
Binary name:C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe
Resource action complete:Removal
Schema:process
Path:pid:5292
Threat ID:2147678816
Resource refcount:1
Result:0
Terminate process PID:5292
Result (pass one):0
Resource action complete:Quarantine
Schema:process
Path:pid:5292
Threat ID:2147678816
Resource refcount:1
Result:0
Resource action complete:Quarantine
Schema:regkey
Path:HKCU@S-1-5-21-4220994265-1922484629-2558833816-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\{1CBE1FBB-43BC-AD41-03C4-6F290EC84C34}
Threat ID:2147678816
Resource refcount:1
Result:0
Resource action complete:Quarantine
Schema:runkey
Path:HKCU@S-1-5-21-4220994265-1922484629-2558833816-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\{1CBE1FBB-43BC-AD41-03C4-6F290EC84C34}
Threat ID:2147678816
Resource refcount:1
Result:0
Resource action complete:Quarantine
Schema:file
Path:\\?\C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe
Threat ID:2147678816
Resource refcount:1
Result:0
Registry value to be removed:HKCU@S-1-5-21-4220994265-1922484629-2558833816-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\{1CBE1FBB-43BC-AD41-03C4-6F290EC84C34}
Type:1
Value:C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe
Action remove successful on regkey:HKCU@S-1-5-21-4220994265-1922484629-2558833816-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\{1CBE1FBB-43BC-AD41-03C4-6F290EC84C34}
Resource action complete:Removal
Schema:regkey
Path:HKCU@S-1-5-21-4220994265-1922484629-2558833816-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\{1CBE1FBB-43BC-AD41-03C4-6F290EC84C34}
Threat ID:2147678816
Resource refcount:1
Result:0
Resource action complete:Removal
Schema:runkey
Path:HKCU@S-1-5-21-4220994265-1922484629-2558833816-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\{1CBE1FBB-43BC-AD41-03C4-6F290EC84C34}
Threat ID:2147678816
Resource refcount:1
Result:0
File to act on SHA1:66DDEA31C1F5B4FA9923B35AE4D63761D97BC1C4
File owner:Nisi-PC\Nisi
File scheduled for removal on reboot
File Name:C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe
Resource action complete:Removal
Schema:file
Path:\\?\C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe
Threat ID:2147678816
Resource refcount:1
Result:3010
Finished threat ID:2147678816
Threat result:0
Threat status flags:2434
Finished threat actions
End time:‎04‎-‎03‎-‎2013 20:14:02
Result:0
2013-04-03T18:14:06.120Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-03T18:14:06.131Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
Begin Resource Scan
Scan ID:{B7C4C242-1ECD-4544-9984-FFAD49499E5B}
Scan Source:6
Start Time:‎04‎-‎03‎-‎2013 20:16:43
End Time:‎04‎-‎03‎-‎2013 20:16:50
Explicit resource to scan
Resource Schema:file
Resource Path:C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe
Explicit resource to scan
Resource Schema:process
Resource Path:pid:5292
Result Count:1
Threat Name:PWS:Win32/Zbot.gen!AM
ID:2147678816
Severity:5
Number of Resources:2
Resource Schema:process
Resource Path:pid:5292
Extended Info:0
Resource Schema:file
Resource Path:C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe
Extended Info:247908473721210
End Scan
************************************************************

Beginning threat actions
Start time:‎04‎-‎03‎-‎2013 20:16:50
Threat Name:PWS:Win32/Zbot.gen!AM
Threat ID:2147678816
Action:remove
Action schedule successful on process:pid:5292
PID:5292
Binary name:C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe
Resource action complete:Removal
Schema:process
Path:pid:5292
Threat ID:2147678816
Resource refcount:1
Result:0
!ERROR
Terminate process PID:5292
Result (pass one):1168
File to act on SHA1:66DDEA31C1F5B4FA9923B35AE4D63761D97BC1C4
File owner:Nisi-PC\Nisi
File scheduled for removal on reboot
File Name:C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe
Resource action complete:Removal
Schema:file
Path:\\?\C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe
Threat ID:2147678816
Resource refcount:1
Result:3010
Finished threat ID:2147678816
Threat result:0
Threat status flags:2434
Finished threat actions
End time:‎04‎-‎03‎-‎2013 20:16:51
Result:0
2013-04-03T18:16:52.424Z Task(SpyNetService -RestrictPrivileges -AccessKey 2A05B213-55A0-787D-6F11-2937FF2338CF) launched
DSS Timeout:Received results after timeout
2013-04-04T08:32:12.942Z Timer is triggered for lost scheduled jobs
2013-04-04T08:32:12.942Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 55444986(ms)
2013-04-04T09:36:34.896Z AutoPurgeWorker triggered with dwWork=0x100002
2013-04-04T09:36:34.919Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 52100818(ms)
2013-04-04T18:20:22.527Z AutoPurgeWorker triggered with dwWork=0x100002
2013-04-04T18:20:22.529Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) launched
2013-04-04T18:20:22.529Z Run lost scheduled job: SignatureUpdate -ScheduleJob -RestrictPrivileges
2013-04-04T18:20:22.667Z Task(SignaturesUpdateService -ScheduleJob -UnmanagedUpdate) launched
2013-04-04T18:20:22.705Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 21402334(ms)
2013-04-04T18:21:30.970Z Verifying engine and signature files (source: 0) ...
2013-04-04T18:21:31.863Z verified!
2013-04-04T18:21:43.963Z Initializing SQM in engine...
2013-04-04T18:21:43.963Z SQM initialized in the engine successfully
2013-04-04T18:21:44.093Z Initializing RTP plugin state...
2013-04-04T18:21:44.093Z initialized!
****************************RTP Perf Log***************************
RTP Start:‎04‎-‎03‎-‎2013 20:13:26
Last Perf:‎04‎-‎03‎-‎2013 20:13:26
First RTP Scan:‎04‎-‎03‎-‎2013 20:13:26
Plugin States:  AV:1  AS:1  RTP:1  OA:1  BM:1
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:35
  Async:8
Cache Flushes:
  RTP:1
System File Cache:
  Hits:784
  Misses:1147
BM Queue:2,437,0
  Proc:0,387,0
  File:2,180,0
Plugin Queue:0,1,0
  Threat:0,0,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,1,0
Request Queue:1,2,0
  SetEngine:1,1,0
  SetState:0,1,0
  SetUser:0,0,0
  Config:0,1,0
  ProcExcl:0,1,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:37255
  Pending:0
  RegSize:28516
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:30018124
  AsyncQCurrent:0
  BMFlags:3
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:8
  TotalStreamCon:2627
  TotalBitmap:81760
  NTFS Cache Statistics:
   TotalMisses:18726
   TotalHits:155972
   InstanceCacheHits:2652
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

Signature updated on ‎04‎-‎04‎-‎2013 20:21:44
Product Version: 4.2.223.0
Service Version: 4.2.223.0
Engine Version: 1.1.9302.0
AS Signature Version: 1.147.1051.0
AV Signature Version: 1.147.1051.0
************************************************************
2013-04-04T18:21:44.097Z Process scan (postsignatureupdatescan) started.
Signature updated via MicrosoftUpdateServer on ‎04‎-‎04‎-‎2013 20:21:44
************************************************************
2013-04-04T18:21:46.152Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-04T18:21:46.169Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-04T18:22:02.507Z Process scan (postsignatureupdatescan) completed.
Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094) Log
Stopped On ‎04‎-‎04‎-‎2013 21:06:15 (Exit Code = 0x0)
************************************************************
Finished shutdown actions; preparing for reboot
2013-04-04T19:06:15.825Z RIM remediation action started.

2013-04-04T19:06:15.825Z RIM remediation action completed. hr = 0x0.

****************************RTP Perf Log***************************
RTP Start:‎04‎-‎04‎-‎2013 20:21:44
Last Perf:‎04‎-‎04‎-‎2013 20:21:44
First RTP Scan:‎04‎-‎04‎-‎2013 20:21:44
Plugin States:  AV:1  AS:1  RTP:1  OA:1  BM:1
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:35
  Async:8
Cache Flushes:
  RTP:1
System File Cache:
  Hits:352
  Misses:491
BM Queue:41,233,0
  Proc:17,51,0
  File:24,233,0
Plugin Queue:0,0,0
  Threat:0,0,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:1,2,0
  SetEngine:1,1,0
  SetState:0,1,0
  SetUser:0,0,0
  Config:0,0,0
  ProcExcl:0,0,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:40566
  Pending:0
  RegSize:28516
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:31574008
  AsyncQCurrent:0
  BMFlags:3
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:8
  TotalStreamCon:4472
  TotalBitmap:81760
  NTFS Cache Statistics:
   TotalMisses:19712
   TotalHits:164318
   InstanceCacheHits:2653
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

****************************RTP Perf Log***************************
RTP Start:‎04‎-‎04‎-‎2013 21:06:15
Last Perf:‎04‎-‎04‎-‎2013 21:06:15
First RTP Scan:N/A
Plugin States:  AV:1  AS:1  RTP:1  OA:1  BM:1
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:35
  Async:8
Cache Flushes:
  RTP:1
System File Cache:
  Hits:0
  Misses:0
BM Queue:28,0,0
  Proc:6,0,0
  File:22,0,0
Plugin Queue:0,0,0
  Threat:0,0,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:0,1,0
  SetEngine:0,1,0
  SetState:0,0,0
  SetUser:0,0,0
  Config:0,0,0
  ProcExcl:0,0,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:40566
  Pending:0
  RegSize:0
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:31574008
  AsyncQCurrent:0
  BMFlags:0
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:8
  TotalStreamCon:4472
  TotalBitmap:81760
  NTFS Cache Statistics:
   TotalMisses:19713
   TotalHits:164318
   InstanceCacheHits:2653
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

--------------------------------------------------------------------------------
Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094) Service Log
Started On ‎04‎-‎04‎-‎2013 21:06:59
************************************************************
2013-04-04T19:06:59.391Z Trace session started - MpWppTracing-04042013-210659-00000003-ffffffff.bin**********Cache stats************
No. Of buckets -> 12800
Each Bucket has max capacity of -> 1 entries
number of Entries is 7707
Number of invalid entries is 0
Number of Inserts issued is 7777
Number of replaces issued is 0
Number of Insert failures is 12
Number of lookups is 96032
Number of misses is 76734
Number of false fast lookups is 4612
Number of invalidations is 66
Number of maintenance invalidations is 0
Current File Size is 311296
Journal ID = 1ccaadde6321faa
Trusted image state = 1 USN = 0
Setup boot count = 0

2013-04-04T19:06:59.578Z Verifying RTP plugin...
2013-04-04T19:06:59.578Z verified!
2013-04-04T19:06:59.672Z Verifying Nis plugin...
2013-04-04T19:06:59.672Z verified!
2013-04-04T19:06:59.688Z Initializing Nis plugin state...
2013-04-04T19:06:59.688Z Nis initialized!
2013-04-04T19:06:59.688Z Loading engine...
2013-04-04T19:06:59.906Z Verifying engine and signature files (source: 1) ...
2013-04-04T19:06:59.906Z verified!
2013-04-04T19:07:01.404Z Initializing SQM in engine...
2013-04-04T19:07:01.404Z SQM initialized in the engine successfully
2013-04-04T19:07:01.513Z CSignatureStatus: back to good
2013-04-04T19:07:01.528Z Initializing RTP plugin state...
2013-04-04T19:07:01.528Z initialized!
****************************RTP Perf Log***************************
RTP Start:N/A
Last Perf:N/A
First RTP Scan:N/A
Plugin States:  AV:2  AS:2  RTP:2  OA:2  BM:2
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:35
  Async:8
Cache Flushes:
  RTP:0
System File Cache:
  Hits:0
  Misses:0
BM Queue:0,0,0
  Proc:0,0,0
  File:0,0,0
Plugin Queue:0,0,0
  Threat:0,0,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:1,1,0
  SetEngine:1,1,0
  SetState:0,0,0
  SetUser:0,0,0
  Config:0,0,0
  ProcExcl:0,0,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:0
  Pending:0
  RegSize:0
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:0
  AsyncQCurrent:0
  BMFlags:0
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:3
  TotalStreamCon:563
  TotalBitmap:85920
  NTFS Cache Statistics:
   TotalMisses:1174
   TotalHits:0
   InstanceCacheHits:0
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

2013-04-04T19:07:01.528Z loaded!
2013-04-04T19:07:01.606Z Verifying license file...
2013-04-04T19:07:01.606Z verified!
2013-04-04T19:07:01.606Z Product supports installmode: 1
2013-04-04T19:07:01.638Z Task(-GenuineCheck -RestrictPrivileges) launched
2013-04-04T19:07:01.716Z Auto purger task is scheduled to run in 600000(ms) from now with period 86400000(ms)
Product Version: 4.2.223.0
Service Version: 4.2.223.0
Engine Version: 1.1.9302.0
AS Signature Version: 1.147.1051.0
AV Signature Version: 1.147.1051.0
************************************************************
2013-04-04T19:07:05.881Z WAT report: machine genuine, state(1) error(0x0)
2013-04-04T19:07:59.652Z Process scan (poststartupscan) started.
2013-04-04T19:08:00.916Z Process scan (poststartupscan) completed.
2013-04-04T19:10:16.529Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-04T19:10:16.533Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-04T19:12:00.082Z Task(SpyNetService -RestrictPrivileges -AccessKey 60488A2E-EF10-F39F-3730-06673F8BBEF3) launched
2013-04-04T19:17:01.716Z AutoPurgeWorker triggered with dwWork=0x3
2013-04-04T19:17:01.716Z Product supports installmode: 1
2013-04-04T19:17:01.718Z Task(-GenuineCheck -RestrictPrivileges) launched
2013-04-04T19:17:01.794Z WAT report: machine genuine, state(1) error(0x0)
2013-04-04T19:17:01.852Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 86400000(ms)
2013-04-04T19:17:01.853Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 15928190(ms)
2013-04-04T19:17:05.171Z Detection State: Finished(0) Failed(0) CriticalFailed(1) Additional Actions(0)
--------------------------------------------------------------------------------
Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094) Service Log
Started On ‎04‎-‎06‎-‎2013 20:36:32
************************************************************
2013-04-06T18:36:32.743Z Trace session started - MpWppTracing-04062013-203632-00000003-ffffffff.bin**********Cache stats************
No. Of buckets -> 12800
Each Bucket has max capacity of -> 1 entries
number of Entries is 7972
Number of invalid entries is 0
Number of Inserts issued is 8045
Number of replaces issued is 0
Number of Insert failures is 12
Number of lookups is 105574
Number of misses is 84065
Number of false fast lookups is 5156
Number of invalidations is 68
Number of maintenance invalidations is 0
Current File Size is 311296
Journal ID = 1ccaadde6321faa
Trusted image state = 1 USN = 0
Setup boot count = 0

2013-04-06T18:36:35.832Z Verifying RTP plugin...
2013-04-06T18:36:35.832Z verified!
2013-04-06T18:36:37.017Z Verifying Nis plugin...
2013-04-06T18:36:37.017Z verified!
2013-04-06T18:36:37.064Z Initializing Nis plugin state...
2013-04-06T18:36:37.064Z Nis initialized!
2013-04-06T18:36:37.064Z Loading engine...
2013-04-06T18:36:45.052Z Verifying engine and signature files (source: 1) ...
2013-04-06T18:36:45.052Z verified!
2013-04-06T18:38:15.727Z Initializing SQM in engine...
2013-04-06T18:38:16.414Z SQM initialized in the engine successfully
2013-04-06T18:38:21.624Z CSignatureStatus: back to good
2013-04-06T18:38:22.092Z Initializing RTP plugin state...
2013-04-06T18:38:22.092Z 
****************************RTP Perf Log***************************
RTP Start:N/A
Last Perf:N/A
First RTP Scan:N/A
Plugin States:  AV:2  AS:2  RTP:2  OA:2  BM:2
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:35
  Async:8
Cache Flushes:
  RTP:0
System File Cache:
  Hits:0
  Misses:0
BM Queue:0,0,0
  Proc:0,0,0
  File:0,0,0
Plugin Queue:0,0,0
  Threat:0,0,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:1,1,0
  SetEngine:1,1,0
  SetState:0,0,0
  SetUser:0,0,0
  Config:0,0,0
  ProcExcl:0,0,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:0
  Pending:0
  RegSize:0
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:860
  AsyncQCurrent:0
  BMFlags:0
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:3
  TotalStreamCon:2279
  TotalBitmap:86640
  NTFS Cache Statistics:
   TotalMisses:8796
   TotalHits:0
   InstanceCacheHits:0
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 
initialized!
2013-04-06T18:38:22.092Z loaded!
2013-04-06T18:38:22.420Z Verifying license file...
2013-04-06T18:38:22.420Z verified!
2013-04-06T18:38:22.420Z Product supports installmode: 1
2013-04-06T18:38:22.716Z Task(-GenuineCheck -RestrictPrivileges) launched
2013-04-06T18:38:23.091Z Auto purger task is scheduled to run in 600000(ms) from now with period 86400000(ms)
Product Version: 4.2.223.0
Service Version: 4.2.223.0
Engine Version: 1.1.9302.0
AS Signature Version: 1.147.1051.0
AV Signature Version: 1.147.1051.0
************************************************************
2013-04-06T18:38:26.008Z WAT report: machine genuine, state(1) error(0x0)
2013-04-06T18:38:48.784Z Process scan (poststartupscan) started.
2013-04-06T18:42:11.888Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-06T18:42:11.891Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-06T18:42:14.843Z Process scan (poststartupscan) completed.
2013-04-06T18:45:48.622Z Task(SpyNetService -RestrictPrivileges -AccessKey 69021254-2F81-976D-51C4-4C66DBB706BE) launched
2013-04-06T18:48:23.039Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 86400000(ms)
2013-04-06T18:48:23.039Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 17619630(ms)
2013-04-06T18:48:23.091Z AutoPurgeWorker triggered with dwWork=0x3
2013-04-06T18:48:23.091Z Product supports installmode: 1
2013-04-06T18:48:23.093Z Task(-GenuineCheck -RestrictPrivileges) launched
2013-04-06T18:48:23.232Z WAT report: machine genuine, state(1) error(0x0)
2013-04-06T18:48:26.098Z Detection State: Finished(0) Failed(0) CriticalFailed(1) Additional Actions(0)
--------------------------------------------------------------------------------
Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094) Service Log
Started On ‎04‎-‎07‎-‎2013 11:03:42
************************************************************
2013-04-07T09:03:42.820Z Trace session started - MpWppTracing-04072013-110342-00000003-ffffffff.bin**********Cache stats************
No. Of buckets -> 12800
Each Bucket has max capacity of -> 1 entries
number of Entries is 8054
Number of invalid entries is 0
Number of Inserts issued is 8148
Number of replaces issued is 0
Number of Insert failures is 15
Number of lookups is 129480
Number of misses is 103864
Number of false fast lookups is 6751
Number of invalidations is 89
Number of maintenance invalidations is 0
Current File Size is 311296
Journal ID = 1ccaadde6321faa
Trusted image state = 1 USN = 0
Setup boot count = 0

2013-04-07T09:03:42.945Z Verifying RTP plugin...
2013-04-07T09:03:42.945Z verified!
2013-04-07T09:03:43.288Z Verifying Nis plugin...
2013-04-07T09:03:43.288Z verified!
2013-04-07T09:03:43.320Z Initializing Nis plugin state...
2013-04-07T09:03:43.320Z Nis initialized!
2013-04-07T09:03:43.320Z Loading engine...
2013-04-07T09:03:44.064Z Verifying engine and signature files (source: 1) ...
2013-04-07T09:03:44.074Z verified!
2013-04-07T09:03:45.484Z Initializing SQM in engine...
2013-04-07T09:03:45.494Z SQM initialized in the engine successfully
2013-04-07T09:03:46.524Z CSignatureStatus: back to good
2013-04-07T09:03:46.524Z Initializing RTP plugin state...
2013-04-07T09:03:46.524Z initialized!
****************************RTP Perf Log***************************
RTP Start:N/A
Last Perf:N/A
First RTP Scan:N/A
Plugin States:  AV:2  AS:2  RTP:2  OA:2  BM:2
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:35
  Async:8
Cache Flushes:
  RTP:0
System File Cache:
  Hits:0
  Misses:0
BM Queue:0,0,0
  Proc:0,0,0
  File:0,0,0
Plugin Queue:0,0,0
  Threat:0,0,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:1,1,0
  SetEngine:1,1,0
  SetState:0,0,0
  SetUser:0,0,0
  Config:0,0,0
  ProcExcl:0,0,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:0
  Pending:0
  RegSize:0
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:860
  AsyncQCurrent:0
  BMFlags:0
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:3
  TotalStreamCon:855
  TotalBitmap:86640
  NTFS Cache Statistics:
   TotalMisses:2075
   TotalHits:0
   InstanceCacheHits:0
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

2013-04-07T09:03:46.524Z loaded!
2013-04-07T09:03:46.544Z Verifying license file...
2013-04-07T09:03:46.544Z verified!
2013-04-07T09:03:46.544Z Product supports installmode: 1
2013-04-07T09:03:46.744Z Task(-GenuineCheck -RestrictPrivileges) launched
2013-04-07T09:03:46.944Z Auto purger task is scheduled to run in 600000(ms) from now with period 86400000(ms)
Product Version: 4.2.223.0
Service Version: 4.2.223.0
Engine Version: 1.1.9302.0
AS Signature Version: 1.147.1230.0
AV Signature Version: 1.147.1230.0
************************************************************
2013-04-07T09:03:48.334Z WAT report: machine genuine, state(1) error(0x0)
2013-04-07T09:04:42.955Z Process scan (poststartupscan) started.
2013-04-07T09:04:43.938Z Process scan (poststartupscan) completed.
2013-04-07T09:07:03.189Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-07T09:07:03.193Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)

BEGIN BM detection
GUID:{79D7D577-99B7-7875-9B13F07E7F15D084}
DetectionName:Behavior:Win32/InjectedRemoteThread
SignatureID:199783326672124
ProcessID:7000
SessionID:1
CreationTime:‎04‎-‎07‎-‎2013 11:07:31
ImagePath:C:\Program Files (x86)\Steam\SteamApps\common\left 4 dead 2\left4dead2.exe
ImagePathHash:28412024AE318B2CFB65ACF7782D384C1DFF7B197559F35844A9B630FC503970
TargetFileName:C:\Windows\System32\csrss.exe
END BM detection

2013-04-07T09:10:55.015Z Task(SpyNetService -RestrictPrivileges -AccessKey 2820100B-CBF8-C594-8FCA-EEF3B3E47146) launched
2013-04-07T09:13:28.085Z AutoPurgeWorker triggered with dwWork=0x3
2013-04-07T09:13:28.085Z Product supports installmode: 1
2013-04-07T09:13:28.085Z Task(-GenuineCheck -RestrictPrivileges) launched
2013-04-07T09:13:28.146Z WAT report: machine genuine, state(1) error(0x0)
2013-04-07T09:13:28.286Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 86400000(ms)
2013-04-07T09:13:28.286Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 53663765(ms)
2013-04-07T09:13:32.640Z Detection State: Finished(0) Failed(0) CriticalFailed(1) Additional Actions(0)
2013-04-07T09:13:32.883Z Trace buffers written: 6, events lost: 0, buffers lost: 0, days: 0
2013-04-07T09:13:32.935Z Task(-UploadSQM -RestrictPrivileges) launched
2013-04-07T10:06:12.041Z AutoPurgeWorker triggered with dwWork=0x100002
2013-04-07T10:06:12.065Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 50812618(ms)
2013-04-09T12:58:21.323Z Timer is triggered for lost scheduled jobs
2013-04-09T12:58:21.802Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 40482881(ms)
2013-04-09T13:18:05.633Z AutoPurgeWorker triggered with dwWork=0x100002
2013-04-09T13:18:05.635Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) launched
2013-04-09T13:18:05.635Z Run lost scheduled job: SignatureUpdate -ScheduleJob -RestrictPrivileges
2013-04-09T13:18:05.768Z Task(SignaturesUpdateService -ScheduleJob -UnmanagedUpdate) launched
2013-04-09T13:18:05.809Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 39797332(ms)
2013-04-09T13:18:07.848Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-09T13:18:07.862Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-09T13:18:44.196Z Verifying engine and signature files (source: 0) ...
2013-04-09T13:18:45.518Z verified!
2013-04-09T13:18:55.722Z Initializing SQM in engine...
2013-04-09T13:18:55.722Z SQM initialized in the engine successfully
2013-04-09T13:18:55.892Z Initializing RTP plugin state...
2013-04-09T13:18:55.892Z initialized!
****************************RTP Perf Log***************************
RTP Start:‎04‎-‎07‎-‎2013 11:03:46
Last Perf:‎04‎-‎07‎-‎2013 11:03:46
First RTP Scan:‎04‎-‎07‎-‎2013 11:03:46
Plugin States:  AV:1  AS:1  RTP:1  OA:1  BM:1
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:35
  Async:8
Cache Flushes:
  RTP:1
System File Cache:
  Hits:2075
  Misses:7817
BM Queue:3,312,0
  Proc:0,273,0
  File:3,67,0
Plugin Queue:0,1,0
  Threat:0,0,0
  Susp:0,1,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:2,4,0
  SetEngine:1,1,0
  SetState:1,1,0
  SetUser:0,0,0
  Config:0,1,0
  ProcExcl:0,1,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:14788
  Pending:0
  RegSize:23812
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:2110062
  AsyncQCurrent:0
  BMFlags:3
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:6
  TotalStreamCon:4504
  TotalBitmap:86640
  NTFS Cache Statistics:
   TotalMisses:15359
   TotalHits:109967
   InstanceCacheHits:2210
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

Signature updated on ‎04‎-‎09‎-‎2013 15:18:55
Product Version: 4.2.223.0
Service Version: 4.2.223.0
Engine Version: 1.1.9302.0
AS Signature Version: 1.147.1415.0
AV Signature Version: 1.147.1415.0
************************************************************
2013-04-09T13:18:55.924Z Process scan (postsignatureupdatescan) started.
Signature updated via MicrosoftUpdateServer on ‎04‎-‎09‎-‎2013 15:18:56
************************************************************
2013-04-09T13:18:57.930Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-09T13:18:57.936Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-09T13:19:17.567Z Process scan (postsignatureupdatescan) completed.
2013-04-09T14:11:55.058Z AutoPurgeWorker triggered with dwWork=0x100002
2013-04-09T14:11:55.061Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 35808046(ms)
2013-04-09T16:14:10.969Z AutoPurgeWorker triggered with dwWork=0x100002
2013-04-09T16:14:10.972Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 27033473(ms)
2013-04-09T17:59:28.078Z AutoPurgeWorker triggered with dwWork=0x100002
2013-04-09T17:59:28.081Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 20834883(ms)
2013-04-10T10:18:38.509Z Timer is triggered for lost scheduled jobs
2013-04-10T10:18:38.509Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 48484455(ms)
2013-04-10T10:38:22.705Z AutoPurgeWorker triggered with dwWork=0x100002
2013-04-10T10:38:22.842Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 47470954(ms)
2013-04-10T18:25:15.459Z AutoPurgeWorker triggered with dwWork=0x100002
2013-04-10T18:25:15.462Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) launched
2013-04-10T18:25:15.462Z Run lost scheduled job: SignatureUpdate -ScheduleJob -RestrictPrivileges
2013-04-10T18:25:15.625Z Task(SignaturesUpdateService -ScheduleJob -UnmanagedUpdate) launched
2013-04-10T18:25:15.751Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 21809477(ms)
2013-04-10T18:26:59.184Z Verifying engine and signature files (source: 0) ...
2013-04-10T18:27:21.075Z verified!
2013-04-10T18:27:36.089Z Initializing SQM in engine...
2013-04-10T18:27:36.089Z SQM initialized in the engine successfully
2013-04-10T18:27:36.280Z Initializing RTP plugin state...
2013-04-10T18:27:36.280Z initialized!
****************************RTP Perf Log***************************
RTP Start:‎04‎-‎09‎-‎2013 15:18:55
Last Perf:‎04‎-‎09‎-‎2013 15:18:55
First RTP Scan:‎04‎-‎09‎-‎2013 15:18:56
Plugin States:  AV:1  AS:1  RTP:1  OA:1  BM:1
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:35
  Async:8
Cache Flushes:
  RTP:1
System File Cache:
  Hits:1207
  Misses:11383
BM Queue:10,1841,0
  Proc:0,395,0
  File:10,1839,0
Plugin Queue:0,0,0
  Threat:0,0,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:1,3,0
  SetEngine:1,1,0
  SetState:0,0,0
  SetUser:0,0,0
  Config:0,1,0
  ProcExcl:0,2,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:37341
  Pending:0
  RegSize:28516
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:13442154
  AsyncQCurrent:0
  BMFlags:3
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:9
  TotalStreamCon:4518
  TotalBitmap:86640
  NTFS Cache Statistics:
   TotalMisses:53302
   TotalHits:200640
   InstanceCacheHits:4283
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

Signature updated on ‎04‎-‎10‎-‎2013 20:27:36
Product Version: 4.2.223.0
Service Version: 4.2.223.0
Engine Version: 1.1.9302.0
AS Signature Version: 1.147.1534.0
AV Signature Version: 1.147.1534.0
************************************************************
2013-04-10T18:27:36.286Z Process scan (postsignatureupdatescan) started.
Signature updated via MicrosoftUpdateServer on ‎04‎-‎10‎-‎2013 20:27:36
************************************************************
2013-04-10T18:27:38.312Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-10T18:27:38.320Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-10T18:27:53.801Z Process scan (postsignatureupdatescan) completed.
2013-04-10T18:34:29.038Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-10T18:34:29.043Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-10T18:52:00.328Z Task(SignaturesUpdateService -UnmanagedUpdate) launched
2013-04-10T18:52:23.900Z Verifying engine and signature files (source: 0) ...
2013-04-10T18:52:53.825Z verified!
2013-04-10T18:53:51.215Z Task(SpyNetService -RestrictPrivileges -AccessKey 60AEBCF2-0EBD-1C17-EC4A-BCD2CF48CB37) launched
Begin Resource Scan
Scan ID:{9DA388FB-77A8-4B77-9BBF-31E83080B4FF}
Scan Source:3
Start Time:‎04‎-‎10‎-‎2013 20:53:49
End Time:‎04‎-‎10‎-‎2013 20:53:52
Explicit resource to scan
Resource Schema:file
Resource Path:C:\Users\Nisi\AppData\Roaming\Iboge\cyikgy.exe
Result Count:1
Threat Name:PWS:Win32/Zbot.gen!AM
ID:2147678816
Severity:5
Number of Resources:1
Resource Schema:file
Resource Path:C:\Users\Nisi\AppData\Roaming\Iboge\cyikgy.exe
Extended Info:247908473721210
End Scan
************************************************************

2013-04-10T18:53:52.078Z DETECTIONEVENT PWS:Win32/Zbot.gen!AM file:C:\Users\Nisi\AppData\Roaming\Iboge\cyikgy.exe;
2013-04-10T18:53:52.081Z DETECTION_ADD PWS:Win32/Zbot.gen!AM file:C:\Users\Nisi\AppData\Roaming\Iboge\cyikgy.exe
Begin Resource Scan
Scan ID:{3F39678A-BF25-46F6-BE59-A527D4A89AD1}
Scan Source:6
Start Time:‎04‎-‎10‎-‎2013 20:53:54
End Time:‎04‎-‎10‎-‎2013 20:53:55
Explicit resource to scan
Resource Schema:file
Resource Path:C:\Users\Nisi\AppData\Roaming\Iboge\cyikgy.exe
Result Count:1
Threat Name:PWS:Win32/Zbot.gen!AM
ID:2147678816
Severity:5
Number of Resources:1
Resource Schema:file
Resource Path:C:\Users\Nisi\AppData\Roaming\Iboge\cyikgy.exe
Extended Info:247908473721210
End Scan
************************************************************

2013-04-10T18:53:57.528Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-10T18:53:57.536Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-10T18:54:02.783Z Initializing SQM in engine...
2013-04-10T18:54:02.783Z SQM initialized in the engine successfully
2013-04-10T18:54:02.972Z Initializing RTP plugin state...
****************************RTP Perf Log***************************
RTP Start:‎04‎-‎10‎-‎2013 20:27:36
Last Perf:‎04‎-‎10‎-‎2013 20:27:36
First RTP Scan:‎04‎-‎10‎-‎2013 20:27:36
Plugin States:  AV:1  AS:1  RTP:1  OA:1  BM:1
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:35
  Async:8
Cache Flushes:
  RTP:1
System File Cache:
  Hits:1459
  Misses:7759
BM Queue:0,573,0
  Proc:0,194,0
  File:0,541,0
Plugin Queue:0,1,0
  Threat:0,1,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:1,2,0
  SetEngine:1,1,0
  SetState:0,1,0
  SetUser:0,0,0
  Config:0,1,0
  ProcExcl:0,0,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:54619
  Pending:0
  RegSize:28516
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:28327916
  AsyncQCurrent:0
  BMFlags:3
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:10
  TotalStreamCon:19568
  TotalBitmap:86640
  NTFS Cache Statistics:
   TotalMisses:72252
   TotalHits:256366
   InstanceCacheHits:4905
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

2013-04-10T18:54:02.972Z initialized!
Signature updated on ‎04‎-‎10‎-‎2013 20:54:02
Product Version: 4.2.223.0
Service Version: 4.2.223.0
Engine Version: 1.1.9302.0
AS Signature Version: 1.147.1550.0
AV Signature Version: 1.147.1550.0
************************************************************
2013-04-10T18:54:02.995Z Process scan (postsignatureupdatescan) started.
Signature updated via MicrosoftUpdateServer on ‎04‎-‎10‎-‎2013 20:54:03
************************************************************
2013-04-10T18:54:04.992Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-10T18:54:04.998Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
Begin Resource Scan
Scan ID:{9328AFF1-9683-4F2B-BF6A-654A8461E0A6}
Scan Source:6
Start Time:‎04‎-‎10‎-‎2013 20:53:55
End Time:‎04‎-‎10‎-‎2013 20:54:13
Explicit resource to scan
Resource Schema:file
Resource Path:C:\Users\Nisi\AppData\Roaming\Iboge\cyikgy.exe
Result Count:1
Threat Name:PWS:Win32/Zbot.gen!AM
ID:2147678816
Severity:5
Number of Resources:1
Resource Schema:file
Resource Path:C:\Users\Nisi\AppData\Roaming\Iboge\cyikgy.exe
Extended Info:247908473721210
End Scan
************************************************************

Beginning threat actions
Start time:‎04‎-‎10‎-‎2013 20:54:13
Threat Name:PWS:Win32/Zbot.gen!AM
Threat ID:2147678816
Action:quarantine
Resource action complete:Quarantine
Schema:file
Path:\\?\C:\Users\Nisi\AppData\Roaming\Iboge\cyikgy.exe
Threat ID:2147678816
Resource refcount:1
Result:0
File to act on SHA1:BB63F9D1F1F5F218A16CA58B88C3C379D4246F12
File owner:Nisi-PC\Nisi
File cleaned/removed successfully
File Name:C:\Users\Nisi\AppData\Roaming\Iboge\cyikgy.exe
Resource action complete:Removal
Schema:file
Path:\\?\C:\Users\Nisi\AppData\Roaming\Iboge\cyikgy.exe
Threat ID:2147678816
Resource refcount:1
Result:0
Finished threat ID:2147678816
Threat result:0
Threat status flags:0
Finished threat actions
End time:‎04‎-‎10‎-‎2013 20:54:15
Result:0
DSS Timeout:Received results after timeout
2013-04-10T18:54:17.463Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-10T18:54:17.469Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-10T18:54:20.406Z Process scan (postsignatureupdatescan) completed.
2013-04-10T18:57:46.638Z Task(SpyNetService -RestrictPrivileges -AccessKey 1767C50E-21A8-6EAE-8314-38F5556E4B3D) launched
Begin Resource Scan
Scan ID:{B90972F0-02B0-4DF5-95E7-98D6BAFD5AAC}
Scan Source:3
Start Time:‎04‎-‎10‎-‎2013 20:57:45
End Time:‎04‎-‎10‎-‎2013 20:57:47
Explicit resource to scan
Resource Schema:file
Resource Path:C:\Users\Nisi\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\5ed301c8-3da0db87->hw.class
Result Count:1
Threat Name:Exploit:Java/CVE-2013-0431
ID:2147679387
Severity:5
Number of Resources:6
Resource Schema:file
Resource Path:C:\Users\Nisi\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\5ed301c8-3da0db87->ttt.class
Extended Info:37825837231109
Resource Schema:file
Resource Path:C:\Users\Nisi\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\5ed301c8-3da0db87->tt.class
Extended Info:18142402984074
Resource Schema:file
Resource Path:C:\Users\Nisi\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\5ed301c8-3da0db87->MakeNew5.class
Extended Info:37826873450087
Resource Schema:file
Resource Path:C:\Users\Nisi\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\5ed301c8-3da0db87->MakeNew2.class
Extended Info:37829269510301
Resource Schema:file
Resource Path:C:\Users\Nisi\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\5ed301c8-3da0db87->hw.class
Extended Info:37829161585683
Resource Schema:containerfile
Resource Path:C:\Users\Nisi\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\5ed301c8-3da0db87
Extended Info:0
End Scan
************************************************************

--------------------------------------------------------------------------------
Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094) Service Log
Started On ‎04‎-‎11‎-‎2013 03:45:23
************************************************************
2013-04-11T01:45:23.756Z Trace session started - MpWppTracing-04112013-034523-00000003-ffffffff.bin**********Cache stats************
No. Of buckets -> 20138
Each Bucket has max capacity of -> 1 entries
number of Entries is 17679
Number of invalid entries is 0
Number of Inserts issued is 49506
Number of replaces issued is 0
Number of Insert failures is 26
Number of lookups is 674630
Number of misses is 610197
Number of false fast lookups is 90716
Number of invalidations is 269
Number of maintenance invalidations is 0
Current File Size is 487424
Journal ID = 1ccaadde6321faa
Trusted image state = 1 USN = 0
Setup boot count = 0

2013-04-11T01:45:23.866Z Verifying RTP plugin...
2013-04-11T01:45:23.866Z verified!
2013-04-11T01:45:24.552Z Verifying Nis plugin...
2013-04-11T01:45:24.552Z verified!
2013-04-11T01:45:24.552Z Initializing Nis plugin state...
2013-04-11T01:45:24.552Z Nis initialized!
2013-04-11T01:45:24.552Z Loading engine...
2013-04-11T01:45:24.708Z Verifying engine and signature files (source: 1) ...
2013-04-11T01:45:26.206Z verified!
2013-04-11T01:45:29.617Z Initializing SQM in engine...
2013-04-11T01:45:29.617Z SQM initialized in the engine successfully
2013-04-11T01:45:29.647Z CSignatureStatus: back to good
2013-04-11T01:45:29.647Z Initializing RTP plugin state...
****************************RTP Perf Log***************************
RTP Start:N/A
Last Perf:N/A
First RTP Scan:N/A
Plugin States:  AV:2  AS:2  RTP:2  OA:2  BM:2
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:35
  Async:8
Cache Flushes:
  RTP:0
System File Cache:
  Hits:0
  Misses:0
BM Queue:0,0,0
  Proc:0,0,0
  File:0,0,0
Plugin Queue:0,0,0
  Threat:0,0,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:1,1,0
  SetEngine:1,1,0
  SetState:0,0,0
  SetUser:0,0,0
  Config:0,0,0
  ProcExcl:0,0,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:0
  Pending:0
  RegSize:0
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:0
  AsyncQCurrent:0
  BMFlags:0
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:4
  TotalStreamCon:2726
  TotalBitmap:89200
  NTFS Cache Statistics:
   TotalMisses:3964
   TotalHits:0
   InstanceCacheHits:0
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

2013-04-11T01:45:29.647Z initialized!
2013-04-11T01:45:29.647Z loaded!
2013-04-11T01:45:29.677Z Verifying license file...
2013-04-11T01:45:29.677Z verified!
2013-04-11T01:45:29.677Z Product supports installmode: 1
2013-04-11T01:45:29.727Z Task(-GenuineCheck -RestrictPrivileges) launched
2013-04-11T01:45:29.727Z Auto purger task is scheduled to run in 600000(ms) from now with period 86400000(ms)
Product Version: 4.2.223.0
Service Version: 4.2.223.0
Engine Version: 1.1.9302.0
AS Signature Version: 1.147.1550.0
AV Signature Version: 1.147.1550.0
************************************************************
2013-04-11T01:45:30.567Z WAT report: machine genuine, state(1) error(0x0)
2013-04-11T01:46:23.876Z Process scan (poststartupscan) started.
2013-04-11T01:46:25.093Z Process scan (poststartupscan) completed.
2013-04-11T01:48:08.958Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-11T01:48:08.974Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-11T01:52:56.046Z Task(SpyNetService -RestrictPrivileges -AccessKey 3DBD7E05-3851-30A2-E19B-CE5502B0C75F) launched
2013-04-11T01:55:29.737Z AutoPurgeWorker triggered with dwWork=0x3
2013-04-11T01:55:29.737Z Product supports installmode: 1
2013-04-11T01:55:29.737Z Task(-GenuineCheck -RestrictPrivileges) launched
2013-04-11T01:55:29.831Z WAT report: machine genuine, state(1) error(0x0)
2013-04-11T01:55:29.940Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 86400000(ms)
2013-04-11T01:55:29.955Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 79609008(ms)
2013-04-11T01:55:34.152Z Detection State: Finished(0) Failed(0) CriticalFailed(0) Additional Actions(0)
--------------------------------------------------------------------------------
Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094) Service Log
Started On ‎04‎-‎11‎-‎2013 09:37:34
************************************************************
2013-04-11T07:37:34.106Z Trace session started - MpWppTracing-04112013-093734-00000003-ffffffff.bin**********Cache stats************
No. Of buckets -> 25258
Each Bucket has max capacity of -> 1 entries
number of Entries is 21329
Number of invalid entries is 0
Number of Inserts issued is 75202
Number of replaces issued is 0
Number of Insert failures is 418
Number of lookups is 1406105
Number of misses is 1309260
Number of false fast lookups is 181510
Number of invalidations is 280
Number of maintenance invalidations is 221
Current File Size is 610304
Journal ID = 1ccaadde6321faa
Trusted image state = 1 USN = 0
Setup boot count = 0

2013-04-11T07:37:34.200Z Verifying RTP plugin...
2013-04-11T07:37:34.200Z verified!
2013-04-11T07:37:34.200Z Verifying Nis plugin...
2013-04-11T07:37:34.200Z verified!
2013-04-11T07:37:34.200Z Initializing Nis plugin state...
2013-04-11T07:37:34.200Z Nis initialized!
2013-04-11T07:37:34.200Z Loading engine...
2013-04-11T07:37:34.387Z Verifying engine and signature files (source: 1) ...
2013-04-11T07:37:34.387Z verified!
2013-04-11T07:37:37.448Z Initializing SQM in engine...
2013-04-11T07:37:37.458Z SQM initialized in the engine successfully
2013-04-11T07:37:37.768Z CSignatureStatus: back to good
2013-04-11T07:37:37.768Z Initializing RTP plugin state...
2013-04-11T07:37:37.768Z initialized!
****************************RTP Perf Log***************************
RTP Start:N/A
Last Perf:N/A
First RTP Scan:N/A
Plugin States:  AV:2  AS:2  RTP:2  OA:2  BM:2
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:35
  Async:8
Cache Flushes:
  RTP:0
System File Cache:
  Hits:0
  Misses:0
BM Queue:0,0,0
  Proc:0,0,0
  File:0,0,0
Plugin Queue:0,0,0
  Threat:0,0,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:1,1,0
  SetEngine:1,1,0
  SetState:0,0,0
  SetUser:0,0,0
  Config:0,0,0
  ProcExcl:0,0,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:0
  Pending:0
  RegSize:0
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:1144
  AsyncQCurrent:0
  BMFlags:0
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:3
  TotalStreamCon:2597
  TotalBitmap:89200
  NTFS Cache Statistics:
   TotalMisses:3909
   TotalHits:0
   InstanceCacheHits:0
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

2013-04-11T07:37:37.768Z loaded!
2013-04-11T07:37:37.818Z Verifying license file...
2013-04-11T07:37:37.818Z verified!
2013-04-11T07:37:37.818Z Product supports installmode: 1
2013-04-11T07:37:39.018Z Task(-GenuineCheck -RestrictPrivileges) launched
2013-04-11T07:37:39.028Z Auto purger task is scheduled to run in 600000(ms) from now with period 86400000(ms)
Product Version: 4.2.223.0
Service Version: 4.2.223.0
Engine Version: 1.1.9302.0
AS Signature Version: 1.147.1550.0
AV Signature Version: 1.147.1550.0
************************************************************
2013-04-11T07:37:40.118Z WAT report: machine genuine, state(1) error(0x0)
2013-04-11T07:38:34.208Z Process scan (poststartupscan) started.
2013-04-11T07:38:39.013Z Process scan (poststartupscan) completed.
2013-04-11T07:40:27.998Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-11T07:40:28.002Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-11T07:45:16.907Z Task(SpyNetService -RestrictPrivileges -AccessKey C30CEF78-34F0-C6A9-61F5-5F1AF7ECF07F) launched
2013-04-11T07:47:39.029Z AutoPurgeWorker triggered with dwWork=0x3
2013-04-11T07:47:39.029Z Product supports installmode: 1
2013-04-11T07:47:39.035Z Task(-GenuineCheck -RestrictPrivileges) launched
2013-04-11T07:47:39.239Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 86400000(ms)
2013-04-11T07:47:39.239Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 57722474(ms)
2013-04-11T07:47:39.992Z WAT report: machine genuine, state(1) error(0x0)
2013-04-11T07:47:43.780Z Detection State: Finished(0) Failed(0) CriticalFailed(0) Additional Actions(0)
--------------------------------------------------------------------------------
Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094) Service Log
Started On ‎04‎-‎12‎-‎2013 00:01:02
************************************************************
2013-04-11T22:01:02.304Z Trace session started - MpWppTracing-04122013-000102-00000003-ffffffff.bin**********Cache stats************
No. Of buckets -> 25258
Each Bucket has max capacity of -> 1 entries
number of Entries is 21351
Number of invalid entries is 0
Number of Inserts issued is 75231
Number of replaces issued is 0
Number of Insert failures is 457
Number of lookups is 1453085
Number of misses is 1343013
Number of false fast lookups is 186334
Number of invalidations is 285
Number of maintenance invalidations is 221
Current File Size is 610304
Journal ID = 1ccaadde6321faa
Trusted image state = 1 USN = 0
Setup boot count = 0

2013-04-11T22:01:02.397Z Verifying RTP plugin...
2013-04-11T22:01:02.397Z verified!
2013-04-11T22:01:02.772Z Verifying Nis plugin...
2013-04-11T22:01:02.772Z verified!
2013-04-11T22:01:02.772Z Initializing Nis plugin state...
2013-04-11T22:01:02.772Z Nis initialized!
2013-04-11T22:01:02.772Z Loading engine...
2013-04-11T22:01:02.928Z Verifying engine and signature files (source: 1) ...
2013-04-11T22:01:02.928Z verified!
2013-04-11T22:01:04.316Z Initializing SQM in engine...
2013-04-11T22:01:04.316Z SQM initialized in the engine successfully
2013-04-11T22:01:04.347Z CSignatureStatus: back to good
2013-04-11T22:01:04.347Z Initializing RTP plugin state...
2013-04-11T22:01:04.347Z initialized!
****************************RTP Perf Log***************************
RTP Start:N/A
Last Perf:N/A
First RTP Scan:N/A
Plugin States:  AV:2  AS:2  RTP:2  OA:2  BM:2
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:35
  Async:8
Cache Flushes:
  RTP:0
System File Cache:
  Hits:0
  Misses:0
BM Queue:0,0,0
  Proc:0,0,0
  File:0,0,0
Plugin Queue:0,0,0
  Threat:0,0,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:1,1,0
  SetEngine:1,1,0
  SetState:0,0,0
  SetUser:0,0,0
  Config:0,0,0
  ProcExcl:0,0,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:0
  Pending:0
  RegSize:0
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:0
  AsyncQCurrent:0
  BMFlags:0
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:3
  TotalStreamCon:469
  TotalBitmap:89200
  NTFS Cache Statistics:
   TotalMisses:850
   TotalHits:0
   InstanceCacheHits:0
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

2013-04-11T22:01:04.347Z loaded!
2013-04-11T22:01:04.347Z Verifying license file...
2013-04-11T22:01:04.347Z verified!
2013-04-11T22:01:04.347Z Product supports installmode: 1
2013-04-11T22:01:04.378Z Task(-GenuineCheck -RestrictPrivileges) launched
2013-04-11T22:01:04.456Z Auto purger task is scheduled to run in 600000(ms) from now with period 86400000(ms)
Product Version: 4.2.223.0
Service Version: 4.2.223.0
Engine Version: 1.1.9302.0
AS Signature Version: 1.147.1550.0
AV Signature Version: 1.147.1550.0
************************************************************
2013-04-11T22:01:04.909Z WAT report: machine genuine, state(1) error(0x0)
2013-04-11T22:02:19.072Z Process scan (poststartupscan) started.
2013-04-11T22:02:26.960Z Process scan (poststartupscan) completed.
2013-04-11T22:04:29.967Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-11T22:04:29.983Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-11T22:09:19.516Z Task(SpyNetService -RestrictPrivileges -AccessKey 36DAEC97-2A90-E7F4-D252-862E410ABC9D) launched
2013-04-11T22:11:04.457Z AutoPurgeWorker triggered with dwWork=0x3
2013-04-11T22:11:04.457Z Product supports installmode: 1
2013-04-11T22:11:04.457Z Task(-GenuineCheck -RestrictPrivileges) launched
2013-04-11T22:11:04.598Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 86400000(ms)
2013-04-11T22:11:04.598Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 6000653(ms)
2013-04-11T22:11:04.754Z WAT report: machine genuine, state(1) error(0x0)
2013-04-11T22:11:09.886Z Detection State: Finished(0) Failed(0) CriticalFailed(0) Additional Actions(0)
--------------------------------------------------------------------------------
Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094) Service Log
Started On ‎04‎-‎12‎-‎2013 00:42:56
************************************************************
2013-04-11T22:42:56.373Z Trace session started - MpWppTracing-04122013-004256-00000003-ffffffff.bin**********Cache stats************
No. Of buckets -> 25258
Each Bucket has max capacity of -> 1 entries
number of Entries is 21370
Number of invalid entries is 0
Number of Inserts issued is 75257
Number of replaces issued is 0
Number of Insert failures is 457
Number of lookups is 1488682
Number of misses is 1364060
Number of false fast lookups is 189157
Number of invalidations is 286
Number of maintenance invalidations is 221
Current File Size is 610304
Journal ID = 1ccaadde6321faa
Trusted image state = 1 USN = 0
Setup boot count = 0

2013-04-11T22:42:56.888Z Verifying RTP plugin...
2013-04-11T22:42:56.888Z verified!
2013-04-11T22:42:57.200Z Verifying Nis plugin...
2013-04-11T22:42:57.200Z verified!
2013-04-11T22:42:57.231Z Initializing Nis plugin state...
2013-04-11T22:42:57.231Z Nis initialized!
2013-04-11T22:42:57.231Z Loading engine...
2013-04-11T22:43:00.429Z Verifying engine and signature files (source: 1) ...
2013-04-11T22:43:00.429Z verified!
2013-04-11T22:43:18.859Z Initializing SQM in engine...
2013-04-11T22:43:18.875Z SQM initialized in the engine successfully
2013-04-11T22:43:19.093Z CSignatureStatus: back to good
2013-04-11T22:43:19.109Z Initializing RTP plugin state...
2013-04-11T22:43:19.109Z initialized!
****************************RTP Perf Log***************************
RTP Start:N/A
Last Perf:N/A
First RTP Scan:N/A
Plugin States:  AV:2  AS:2  RTP:2  OA:2  BM:2
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:35
  Async:8
Cache Flushes:
  RTP:0
System File Cache:
  Hits:0
  Misses:0
BM Queue:0,0,0
  Proc:0,0,0
  File:0,0,0
Plugin Queue:0,0,0
  Threat:0,0,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:1,1,0
  SetEngine:1,1,0
  SetState:0,0,0
  SetUser:0,0,0
  Config:0,0,0
  ProcExcl:0,0,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:0
  Pending:0
  RegSize:0
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:860
  AsyncQCurrent:0
  BMFlags:0
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:3
  TotalStreamCon:1039
  TotalBitmap:89200
  NTFS Cache Statistics:
   TotalMisses:2691
   TotalHits:0
   InstanceCacheHits:0
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

2013-04-11T22:43:19.109Z loaded!
2013-04-11T22:43:19.140Z Verifying license file...
2013-04-11T22:43:19.140Z verified!
2013-04-11T22:43:19.140Z Product supports installmode: 1
2013-04-11T22:43:19.187Z Task(-GenuineCheck -RestrictPrivileges) launched
2013-04-11T22:43:19.530Z Auto purger task is scheduled to run in 600000(ms) from now with period 86400000(ms)
Product Version: 4.2.223.0
Service Version: 4.2.223.0
Engine Version: 1.1.9302.0
AS Signature Version: 1.147.1550.0
AV Signature Version: 1.147.1550.0
************************************************************
2013-04-11T22:43:20.154Z WAT report: machine genuine, state(1) error(0x0)
2013-04-11T22:43:56.736Z Process scan (poststartupscan) started.
2013-04-11T22:43:57.781Z Process scan (poststartupscan) completed.
2013-04-11T22:46:08.073Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-11T22:46:08.088Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-11T22:50:54.973Z Task(SpyNetService -RestrictPrivileges -AccessKey 7F877970-F737-0AA7-2A0E-32C1523CBAB6) launched
2013-04-11T22:53:19.523Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 86400000(ms)
2013-04-11T22:53:19.523Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 2871018(ms)
2013-04-11T22:53:19.538Z AutoPurgeWorker triggered with dwWork=0x3
2013-04-11T22:53:19.538Z Product supports installmode: 1
2013-04-11T22:53:19.538Z Task(-GenuineCheck -RestrictPrivileges) launched
2013-04-11T22:53:20.022Z WAT report: machine genuine, state(1) error(0x0)
2013-04-11T22:53:25.217Z Detection State: Finished(0) Failed(0) CriticalFailed(0) Additional Actions(0)
--------------------------------------------------------------------------------
Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094) Service Log
Started On ‎04‎-‎12‎-‎2013 19:17:13
************************************************************
2013-04-12T17:17:13.910Z Trace session started - MpWppTracing-04122013-191713-00000003-ffffffff.bin**********Cache stats************
No. Of buckets -> 25258
Each Bucket has max capacity of -> 1 entries
number of Entries is 21370
Number of invalid entries is 0
Number of Inserts issued is 75257
Number of replaces issued is 0
Number of Insert failures is 457
Number of lookups is 1496989
Number of misses is 1369828
Number of false fast lookups is 189934
Number of invalidations is 286
Number of maintenance invalidations is 221
Current File Size is 610304
Journal ID = 1ccaadde6321faa
Trusted image state = 1 USN = 0
Setup boot count = 0

2013-04-12T17:17:14.659Z Verifying RTP plugin...
2013-04-12T17:17:14.659Z verified!
2013-04-12T17:17:16.047Z Loading engine...
2013-04-12T17:17:19.011Z Verifying engine and signature files (source: 1) ...
2013-04-12T17:17:19.011Z verified!
2013-04-12T17:17:37.819Z Initializing SQM in engine...
2013-04-12T17:17:37.819Z SQM initialized in the engine successfully
2013-04-12T17:17:38.006Z CSignatureStatus: back to good
2013-04-12T17:17:38.037Z Initializing RTP plugin state...
****************************RTP Perf Log***************************
RTP Start:N/A
Last Perf:N/A
First RTP Scan:N/A
Plugin States:  AV:2  AS:2  RTP:2  OA:2  BM:2
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:35
  Async:8
Cache Flushes:
  RTP:0
System File Cache:
  Hits:0
  Misses:0
BM Queue:0,0,0
  Proc:0,0,0
  File:0,0,0
Plugin Queue:0,0,0
  Threat:0,0,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:1,1,0
  SetEngine:1,1,0
  SetState:0,0,0
  SetUser:0,0,0
  Config:0,0,0
  ProcExcl:0,0,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:0
  Pending:0
  RegSize:0
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:860
  AsyncQCurrent:0
  BMFlags:0
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:3
  TotalStreamCon:1035
  TotalBitmap:89200
  NTFS Cache Statistics:
   TotalMisses:2660
   TotalHits:0
   InstanceCacheHits:0
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

2013-04-12T17:17:38.037Z initialized!
2013-04-12T17:17:38.037Z loaded!
2013-04-12T17:17:38.053Z NisUpdate from SignatureDropLocation returns S_OK
2013-04-12T17:17:38.053Z Verifying license file...
2013-04-12T17:17:38.053Z verified!
2013-04-12T17:17:38.053Z Product supports installmode: 1
2013-04-12T17:17:38.115Z Task(-GenuineCheck -RestrictPrivileges) launched
2013-04-12T17:17:38.349Z Auto purger task is scheduled to run in 600000(ms) from now with period 86400000(ms)
Product Version: 4.2.223.0
Service Version: 4.2.223.0
Engine Version: 1.1.9302.0
AS Signature Version: 1.147.1550.0
AV Signature Version: 1.147.1550.0
************************************************************
2013-04-12T17:17:39.083Z WAT report: machine genuine, state(1) error(0x0)
2013-04-12T17:20:07.120Z Reloading engine...
2013-04-12T17:20:07.342Z Verifying engine and signature files (source: 0) ...
2013-04-12T17:20:07.343Z verified!
2013-04-12T17:20:08.309Z Initializing SQM in engine...
2013-04-12T17:20:08.309Z SQM initialized in the engine successfully
2013-04-12T17:20:08.317Z Initializing RTP plugin state...
2013-04-12T17:20:08.318Z initialized!
2013-04-12T17:20:08.318Z Engine reloaded
****************************RTP Perf Log***************************
RTP Start:‎04‎-‎12‎-‎2013 19:17:38
Last Perf:‎04‎-‎12‎-‎2013 19:17:38
First RTP Scan:‎04‎-‎12‎-‎2013 19:20:07
Plugin States:  AV:1  AS:1  RTP:1  OA:1  BM:1
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:35
  Async:8
Cache Flushes:
  RTP:1
System File Cache:
  Hits:1
  Misses:2
BM Queue:4,4,0
  Proc:0,0,0
  File:4,4,0
Plugin Queue:0,0,0
  Threat:0,0,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:2,3,0
  SetEngine:1,1,0
  SetState:1,2,0
  SetUser:0,0,0
  Config:0,1,0
  ProcExcl:0,0,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:5
  Pending:0
  RegSize:23812
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:1264
  AsyncQCurrent:0
  BMFlags:3
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:4
  TotalStreamCon:3417
  TotalBitmap:89200
  NTFS Cache Statistics:
   TotalMisses:25329
   TotalHits:8
   InstanceCacheHits:0
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
   TotalMisses:0
   TotalHits:0
   InstanceCacheInserts:0
   InstanceCacheUpdates:0
   InstanceCacheDeletes:0
   InstanceCacheHits:0
   InstanceCacheMisses:0
   InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

2013-04-12T17:20:08.363Z Process scan (poststartupscan) started.
2013-04-12T17:20:19.459Z Process scan (poststartupscan) completed.
2013-04-12T17:20:37.550Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-12T17:20:37.554Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2013-04-12T17:27:08.936Z Task(SpyNetService -RestrictPrivileges -AccessKey 251D8F61-3A3A-3438-DBFF-36CB82A139A7) launched
2013-04-12T17:27:38.358Z AutoPurgeWorker triggered with dwWork=0x3
2013-04-12T17:27:38.358Z Product supports installmode: 1
2013-04-12T17:27:38.358Z Task(-GenuineCheck -RestrictPrivileges) launched
2013-04-12T17:27:38.561Z WAT report: machine genuine, state(1) error(0x0)
2013-04-12T17:27:38.623Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 86400000(ms)
2013-04-12T17:27:38.623Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 22611143(ms)
2013-04-12T17:27:45.066Z Detection State: Finished(0) Failed(0) CriticalFailed(0) Additional Actions(0)
         

Geändert von Malibouman (12.04.2013 um 19:57 Uhr)

Alt 12.04.2013, 19:57   #9
aharonov
/// TB-Ausbilder
 
Telekom Brief Zeus/Zbot - Standard

Telekom Brief Zeus/Zbot



Hallo,

doch, diese Meldungen sind aufschlussreich:
Zitat:
Pfad: file:_C:\Users\Nisi\AppData\Roaming\Yxahe\noin.exe
Pfad: file:_C:\Users\Nisi\AppData\Roaming\Iboge\cyikgy.exe
MSE hat auf diesem Recher tatsächlich die von der Telekom erwähnten Zbots entdeckt und gelöscht.

Weiter:


Schritt 1

Downloade dir bitte AdwCleaner und speichere es auf deinen Desktop.
  • Schliesse alle offenen Programme und Browser.
  • Starte die adwcleaner.exe mit einem Doppelklick.
  • Klicke auf Löschen.
  • Bestätige jeweils mit Ok.
  • Dein Rechner wird neu gestartet, je nach Schwere der Infektion auch mehrmals - das ist normal. Nach dem Neustart öffnet sich eine Textdatei.
  • Poste mir den Inhalt mit deiner nächsten Antwort.
  • Die Logdatei findest du auch unter C:\AdwCleaner[S1].txt.



Schritt 2

Starte bitte die OTL.exe.
  • Setze den Haken bei Scan all Users.
  • Drücke auf den Quick Scan Button.
  • Poste den Inhalt von OTL.txt hier in den Thread.



Bitte poste in deiner nächsten Antwort:
  • Log von AdwCleaner
  • Log von OTL
__________________
cheers,
Leo

Alt 12.04.2013, 20:49   #10
Malibouman
 
Telekom Brief Zeus/Zbot - Standard

Telekom Brief Zeus/Zbot



der adwcleaner startet nicht. Ich habe es als Administrator aus geführt funktionier aber nicht.

Alt 12.04.2013, 20:52   #11
aharonov
/// TB-Ausbilder
 
Telekom Brief Zeus/Zbot - Standard

Telekom Brief Zeus/Zbot



Dann überspring ihn und mach mit Schritt 2 weiter.
__________________
cheers,
Leo

Alt 12.04.2013, 21:08   #12
Malibouman
 
Telekom Brief Zeus/Zbot - Standard

Telekom Brief Zeus/Zbot



OTL.txt
Code:
ATTFilter
OTL logfile created on: 12.04.2013 22:00:03 - Run 2
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Nisi\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
7,90 Gb Total Physical Memory | 4,94 Gb Available Physical Memory | 62,58% Memory free
15,79 Gb Paging File | 12,42 Gb Available in Paging File | 78,64% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 679,00 Gb Total Space | 570,36 Gb Free Space | 84,00% Space Free | Partition Type: NTFS
 
Computer Name: NISI-PC | User Name: Admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\Nisi\Desktop\adwcleaner.exe ()
PRC - C:\Users\Nisi\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_7_700_169.exe (Adobe Systems, Inc.)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\Freetec\SystemStore\SystemStore.exe ()
PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
PRC - C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files (x86)\Nero\Update\NASvc.exe (Nero AG)
PRC - C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE (SoftThinks SAS)
PRC - C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe ()
PRC - C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe ()
PRC - C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe (Creative Technology Ltd)
PRC - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation)
PRC - C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe ()
PRC - C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe ()
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Users\Nisi\Desktop\adwcleaner.exe ()
MOD - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_169.dll ()
MOD - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Program Files (x86)\Mozilla Firefox\mozjs.dll ()
MOD - C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe ()
MOD - C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe ()
MOD - C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll ()
MOD - C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe ()
MOD - c:\program files (x86)\common files\roxio shared\dllshared\SQLite352.dll ()
MOD - C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe ()
 
 
========== Services (SafeList) ==========
 
SRV:64bit: - (NisSrv) -- c:\Program Files\Microsoft Security Client\NisSrv.exe (Microsoft Corporation)
SRV:64bit: - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV:64bit: - (WhsMcClient) -- C:\Program Files\Windows Server\Bin\WhsMcClient.exe (Microsoft Corporation)
SRV:64bit: - (arXfrSvc) -- C:\Program Files\Windows Server\Bin\Microsoft.HomeServer.Archive.TransferService.exe (Microsoft Corporation)
SRV:64bit: - (ServiceProviderRegistry) -- C:\Program Files\Windows Server\Bin\ProviderRegistryService.exe (Microsoft Corporation)
SRV:64bit: - (AMPPALR3) -- C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe (Intel Corporation)
SRV:64bit: - (EvtEng) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel(R) Corporation)
SRV:64bit: - (MyWiFiDHCPDNS) -- C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe ()
SRV:64bit: - (RegSrvc) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel(R) Corporation)
SRV:64bit: - (LoClntService) -- C:\Program Files\Windows Server\Bin\LightsOutClientService.exe (AxoNet Software GmbH)
SRV:64bit: - (BTHSSecurityMgr) -- C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe (Intel(R) Corporation)
SRV:64bit: - (LANConfig) -- C:\Program Files\Windows Server\Bin\LANConfigSvc.exe (Microsoft Corporation)
SRV:64bit: - (WSS_ComputerBackupProviderSvc) -- C:\Program Files\Windows Server\Bin\SharedServiceHost.exe (Microsoft Corporation)
SRV:64bit: - (SqmProviderSvc) -- C:\Program Files\Windows Server\Bin\SharedServiceHost.exe (Microsoft Corporation)
SRV:64bit: - (providers_system) -- C:\Program Files\Windows Server\Bin\SharedServiceHost.exe (Microsoft Corporation)
SRV:64bit: - (NotificationsProviderSvc) -- C:\Program Files\Windows Server\Bin\SharedServiceHost.exe (Microsoft Corporation)
SRV:64bit: - (initMonitor) -- C:\Program Files\Windows Server\Bin\SharedServiceHost.exe (Microsoft Corporation)
SRV:64bit: - (HealthAlertsSvc) -- C:\Program Files\Windows Server\Bin\SharedServiceHost.exe (Microsoft Corporation)
SRV:64bit: - (WSConnectorUpdate) -- C:\Program Files\Windows Server\Bin\WSConnectorUpdate.exe (Microsoft Corporation)
SRV:64bit: - (TurboBoost) -- C:\Program Files\Intel\TurboBoost\TurboBoost.exe (Intel(R) Corporation)
SRV:64bit: - (wlcrasvc) -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe (Microsoft Corporation)
SRV:64bit: - (AERTFilters) -- C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe (Andrea Electronics Corporation)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MBAMService) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MBAMScheduler) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
SRV - (Steam Client Service) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (SystemStoreService) -- C:\Program Files (x86)\Freetec\SystemStore\SystemStore.exe ()
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (SelfUpdateService) -- C:\Program Files (x86)\Freetec\SystemStore\SelfUpdate.exe ()
SRV - (nvUpdatusService) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation)
SRV - (Stereo Service) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
SRV - (MozillaMaintenance) -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (SkypeUpdate) -- C:\Program Files (x86)\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (NAUpdate) -- C:\Program Files (x86)\Nero\Update\NASvc.exe (Nero AG)
SRV - (SftService) -- C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE (SoftThinks SAS)
SRV - (Bluetooth OBEX Service) -- C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe (Intel Corporation)
SRV - (Bluetooth Media Service) -- C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe (Intel Corporation)
SRV - (Bluetooth Device Monitor) -- C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe (Intel Corporation)
SRV - (UNS) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation)
SRV - (LMS) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation)
SRV - (RoxWatch12) -- C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe (Sonic Solutions)
SRV - (RoxMediaDB12OEM) -- C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe (Sonic Solutions)
SRV - (NOBU) -- C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe (Dell, Inc.)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - (MBAMProtector) -- C:\Windows\SysNative\drivers\mbam.sys (Malwarebytes Corporation)
DRV:64bit: - (NisDrv) -- C:\Windows\SysNative\drivers\NisDrvWFP.sys (Microsoft Corporation)
DRV:64bit: - (nvpciflt) -- C:\Windows\SysNative\drivers\nvpciflt.sys (NVIDIA Corporation)
DRV:64bit: - (nvkflt) -- C:\Windows\SysNative\drivers\nvkflt.sys (NVIDIA Corporation)
DRV:64bit: - (RdpVideoMiniport) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV:64bit: - (TsUsbGD) -- C:\Windows\SysNative\drivers\TsUsbGD.sys (Microsoft Corporation)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (GEARAspiWDM) -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV:64bit: - (acedrv10) -- C:\Windows\SysNative\drivers\acedrv10.sys (Protect Software GmbH)
DRV:64bit: - (acehlp10) -- C:\Windows\SysNative\drivers\acehlp10.sys (Protect Software GmbH)
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (iBtFltCoex) -- C:\Windows\SysNative\drivers\iBtFltCoex.sys (Intel Corporation)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (btmhsf) -- C:\Windows\SysNative\drivers\btmhsf.sys (Intel Corporation)
DRV:64bit: - (AMPPALP) -- C:\Windows\SysNative\drivers\AmpPal.sys (Windows (R) Win 7 DDK provider)
DRV:64bit: - (AMPPAL) -- C:\Windows\SysNative\drivers\AmpPal.sys (Windows (R) Win 7 DDK provider)
DRV:64bit: - (NETwNs64) -- C:\Windows\SysNative\drivers\NETwNs64.sys (Intel Corporation)
DRV:64bit: - (igfx) -- C:\Windows\SysNative\drivers\igdkmd64.sys (Intel Corporation)
DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\drivers\Rt64win7.sys (Realtek                                            )
DRV:64bit: - (btmaux) -- C:\Windows\SysNative\drivers\btmaux.sys (Intel Corporation)
DRV:64bit: - (btmaudio) -- C:\Windows\SysNative\drivers\btmaud.sys (Intel Corporation)
DRV:64bit: - (PCDSRVC{1E208CE0-FB7451FF-06020101}_0) -- c:\Program Files\Dell Support Center\pcdsrvc_x64.pkms (PC-Doctor, Inc.)
DRV:64bit: - (NVHDA) -- C:\Windows\SysNative\drivers\nvhda64v.sys (NVIDIA Corporation)
DRV:64bit: - (BackupReader) -- C:\Windows\SysNative\drivers\BackupReader.sys (Microsoft Corporation)
DRV:64bit: - (nusb3xhc) -- C:\Windows\SysNative\drivers\nusb3xhc.sys (Renesas Electronics Corporation)
DRV:64bit: - (nusb3hub) -- C:\Windows\SysNative\drivers\nusb3hub.sys (Renesas Electronics Corporation)
DRV:64bit: - (CtClsFlt) -- C:\Windows\SysNative\drivers\CtClsFlt.sys (Creative Technology Ltd.)
DRV:64bit: - (iaStor) -- C:\Windows\SysNative\drivers\iaStor.sys (Intel Corporation)
DRV:64bit: - (SynTP) -- C:\Windows\SysNative\drivers\SynTP.sys (Synaptics Incorporated)
DRV:64bit: - (JMCR) -- C:\Windows\SysNative\drivers\jmcr.sys (JMicron Technology Corporation)
DRV:64bit: - (Acceler) -- C:\Windows\SysNative\drivers\Accelern.sys (ST Microelectronics)
DRV:64bit: - (NvStUSB) -- C:\Windows\SysNative\drivers\nvstusb.sys ()
DRV:64bit: - (TurboB) -- C:\Windows\SysNative\drivers\TurboB.sys (Intel(R) Corporation)
DRV:64bit: - (RMCAST) -- C:\Windows\SysNative\drivers\rmcast.sys (Microsoft Corporation)
DRV:64bit: - (sdbus) -- C:\Windows\SysNative\drivers\sdbus.sys (Microsoft Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (MEIx64) -- C:\Windows\SysNative\drivers\HECIx64.sys (Intel Corporation)
DRV:64bit: - (IntcDAud) -- C:\Windows\SysNative\drivers\IntcDAud.sys (Intel(R) Corporation)
DRV:64bit: - (stdcfltn) -- C:\Windows\SysNative\drivers\stdcfltn.sys (ST Microelectronics)
DRV:64bit: - (qicflt) -- C:\Windows\SysNative\drivers\qicflt.sys (Quanta Computer)
DRV:64bit: - (PxHlpa64) -- C:\Windows\SysNative\drivers\PxHlpa64.sys (Sonic Solutions)
DRV:64bit: - (Impcd) -- C:\Windows\SysNative\drivers\Impcd.sys (Intel Corporation)
DRV:64bit: - (15580312) -- C:\Windows\SysNative\drivers\15580312.sys (Kaspersky Lab)
DRV:64bit: - (15580311) -- C:\Windows\SysNative\drivers\15580311.sys (Kaspersky Lab)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (WimFltr) -- C:\Windows\SysNative\drivers\WimFltr.sys (Microsoft Corporation)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {618E9691-F6C7-48C3-9201-A0670B68E6C7}
IE:64bit: - HKLM\..\SearchScopes\{618E9691-F6C7-48C3-9201-A0670B68E6C7}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {618E9691-F6C7-48C3-9201-A0670B68E6C7}
IE - HKLM\..\SearchScopes\{618E9691-F6C7-48C3-9201-A0670B68E6C7}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
 
 
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-4220994265-1922484629-2558833816-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/USCON/8
IE - HKU\S-1-5-21-4220994265-1922484629-2558833816-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/USCON/8
IE - HKU\S-1-5-21-4220994265-1922484629-2558833816-1001\..\SearchScopes,DefaultScope = {618E9691-F6C7-48C3-9201-A0670B68E6C7}
IE - HKU\S-1-5-21-4220994265-1922484629-2558833816-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-4220994265-1922484629-2558833816-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
IE - HKU\S-1-5-21-4220994265-1922484629-2558833816-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
========== FireFox ==========
 
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_169.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.0: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_169.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.17.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012.07.20 10:43:27 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\msktbird@mcafee.com: C:\Program Files\McAfee\MSK
 
[2011.11.28 21:32:58 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions
[2012.07.20 10:43:27 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012.04.10 16:23:30 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.04.10 16:23:30 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012.04.10 16:23:30 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml
[2012.04.10 16:23:30 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.04.10 16:23:30 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.04.10 16:23:30 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2012.08.23 12:03:39 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (PriceGong - Price Comparison) - {1631550F-191D-4826-B069-D9439253D926} - C:\Program Files (x86)\PriceGong\2.6.10\PriceGongIE.dll (PriceGong)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:64bit: - HKLM..\Run: [BTMTrayAgent] C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll (Intel Corporation)
O4:64bit: - HKLM..\Run: [DellStage] C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe ()
O4:64bit: - HKLM..\Run: [FreeFallProtection] C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe ()
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IntelPAN] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel(R) Corporation)
O4:64bit: - HKLM..\Run: [IntelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs" File not found
O4:64bit: - HKLM..\Run: [Launchpad] C:\Program Files\Windows Server\Bin\Launchpad.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [QuickSet] c:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4:64bit: - HKLM..\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [Stage Remote] C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe ()
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [AccuWeatherWidget] C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe ()
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe (Dell, Inc.)
O4 - HKLM..\Run: [Dell Webcam Central] C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [Desktop Disc Tool] C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe ()
O4 - HKLM..\Run: [NeroLauncher] C:\Program Files (x86)\Nero\SyncUP\NeroLauncher.exe ()
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe (Sonic Solutions)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-4220994265-1922484629-2558833816-1001..\Run: [Steam] C:\Program Files (x86)\Steam\Steam.exe (Valve Corporation)
O4 - HKU\S-1-5-21-4220994265-1922484629-2558833816-1005..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-21-4220994265-1922484629-2558833816-1005..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - Startup: C:\Users\Admin\Anwendungsdaten [2013.04.12 21:39:44 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Admin\AppData [2013.04.12 21:39:45 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Users\Admin\Cookies [2013.04.12 21:39:44 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Admin\Desktop [2009.07.14 04:34:59 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Admin\Documents [2013.04.12 21:39:44 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Admin\Downloads [2009.07.14 04:34:59 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Admin\Druckumgebung [2013.04.12 21:39:44 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Admin\Eigene Dateien [2013.04.12 21:39:44 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Admin\Favorites [2011.11.25 05:05:19 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Admin\Links [2009.07.14 04:34:59 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Admin\Lokale Einstellungen [2013.04.12 21:39:44 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Admin\Music [2009.07.14 04:34:59 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Admin\Netzwerkumgebung [2013.04.12 21:39:44 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Admin\NTUSER.DAT ()
O4 - Startup: C:\Users\Admin\ntuser.dat.LOG1 ()
O4 - Startup: C:\Users\Admin\ntuser.dat.LOG2 ()
O4 - Startup: C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf ()
O4 - Startup: C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms ()
O4 - Startup: C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms ()
O4 - Startup: C:\Users\Admin\ntuser.ini ()
O4 - Startup: C:\Users\Admin\Pictures [2009.07.14 04:34:59 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Admin\Recent [2013.04.12 21:39:44 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Admin\Roaming [2011.11.25 04:53:17 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\Admin\Saved Games [2009.07.14 04:34:59 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\Admin\SendTo [2013.04.12 21:39:44 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Admin\Startmenü [2013.04.12 21:39:44 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Admin\Videos [2009.07.14 04:34:59 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Admin\Vorlagen [2013.04.12 21:39:44 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\All Users\34BE82C4-E596-4e99-A191-52C6199EBF69 [2012.10.16 21:00:33 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Adobe [2013.04.11 06:52:45 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Anwendungsdaten [2011.11.28 20:50:24 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\All Users\Apple [2012.10.16 20:58:39 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Apple Computer [2012.10.16 20:59:34 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Application Data [2009.07.14 07:08:56 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\All Users\Buhl Data Service GmbH [2013.03.08 13:32:35 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Creative [2011.11.28 21:03:19 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Dell [2011.11.25 05:17:18 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Desktop [2009.07.14 07:08:56 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\All Users\Documents [2009.07.14 07:08:56 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\All Users\Dokumente [2011.11.28 20:50:24 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\All Users\Favoriten [2011.11.28 20:50:24 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\All Users\Favorites [2009.07.14 07:08:56 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\All Users\Firefly Studios [2013.01.05 18:34:32 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\install_clap [2011.11.25 05:06:35 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Intel [2011.11.25 05:39:06 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Kaspersky Lab [2013.04.11 05:42:23 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\LightsOut [2013.04.12 00:02:04 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Macrovision [2011.11.25 05:19:50 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Malwarebytes [2013.04.11 07:22:02 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\McAfee [2013.03.25 18:28:47 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Microsoft [2013.03.25 18:31:22 | 000,000,000 | --SD | M]
O4 - Startup: C:\Users\All Users\Mozilla [2012.05.13 10:02:34 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Nero [2011.11.25 05:32:48 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\NVIDIA [2013.04.12 21:51:41 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\NVIDIA Corporation [2011.11.24 21:21:42 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Package Cache [2013.04.10 21:18:39 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\PCDr [2011.12.21 12:00:03 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\PhotoShow Shared Assets [2011.11.25 05:21:45 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Roaming [2011.11.25 04:53:17 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Roxio [2011.11.25 05:39:13 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Skype [2012.10.07 00:20:10 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Sonic [2013.04.12 21:53:20 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Start Menu [2009.07.14 07:08:56 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\All Users\Startmenü [2011.11.28 20:50:24 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\All Users\Sun [2011.11.25 04:47:11 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Temp [2011.11.25 05:07:05 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Templates [2009.07.14 07:08:56 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\All Users\Uninstall [2011.11.25 05:22:36 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Vorlagen [2011.11.28 20:50:24 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Anwendungsdaten [2011.11.28 20:50:24 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\AppData [2009.07.14 05:20:08 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Users\Default\Application Data [2009.07.14 07:08:56 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Cookies [2009.07.14 07:08:56 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Desktop [2009.07.14 04:34:59 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default\Documents [2011.11.28 20:50:24 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default\Downloads [2009.07.14 04:34:59 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default\Druckumgebung [2011.11.28 20:50:24 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Eigene Dateien [2011.11.28 20:50:24 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Favorites [2011.11.25 05:05:19 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default\Links [2009.07.14 04:34:59 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default\Local Settings [2009.07.14 07:08:56 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Lokale Einstellungen [2011.11.28 20:50:24 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Music [2009.07.14 04:34:59 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default\My Documents [2009.07.14 07:08:56 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\NetHood [2009.07.14 07:08:56 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Netzwerkumgebung [2011.11.28 20:50:24 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\NTUSER.DAT ()
O4 - Startup: C:\Users\Default\NTUSER.DAT.LOG ()
O4 - Startup: C:\Users\Default\NTUSER.DAT.LOG1 ()
O4 - Startup: C:\Users\Default\NTUSER.DAT.LOG2 ()
O4 - Startup: C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf ()
O4 - Startup: C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms ()
O4 - Startup: C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms ()
O4 - Startup: C:\Users\Default\Pictures [2009.07.14 04:34:59 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default\PrintHood [2009.07.14 07:08:56 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Recent [2009.07.14 07:08:56 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Roaming [2011.11.25 04:53:17 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\Default\Saved Games [2009.07.14 04:34:59 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\Default\SendTo [2009.07.14 07:08:56 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Start Menu [2009.07.14 07:08:56 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Startmenü [2011.11.28 20:50:24 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Templates [2009.07.14 07:08:56 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Videos [2009.07.14 04:34:59 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default\Vorlagen [2011.11.28 20:50:24 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Nisi\.TransferManager.db ()
O4 - Startup: C:\Users\Nisi\Anwendungsdaten [2011.11.28 20:50:37 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Nisi\AppData [2011.11.28 20:50:37 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Users\Nisi\Application Data [2011.12.22 23:21:53 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\Nisi\Contacts [2012.07.13 08:55:20 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Nisi\Cookies [2011.11.28 20:50:37 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Nisi\defogger_reenable ()
O4 - Startup: C:\Users\Nisi\Desktop [2013.04.12 21:52:46 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Nisi\Documents [2013.04.04 21:05:58 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Nisi\Downloads [2013.04.12 21:52:46 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Nisi\Druckumgebung [2011.11.28 20:50:37 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Nisi\Eigene Dateien [2011.11.28 20:50:37 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Nisi\Favorites [2012.07.13 08:55:20 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Nisi\Links [2012.07.13 08:55:21 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Nisi\Lokale Einstellungen [2011.11.28 20:50:37 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Nisi\Mein Backup Datei [2011.12.01 23:21:14 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\Nisi\Music [2013.01.13 20:00:31 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Nisi\Netzwerkumgebung [2011.11.28 20:50:37 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Nisi\ntuser.dat ()
O4 - Startup: C:\Users\Nisi\ntuser.dat.LOG1 ()
O4 - Startup: C:\Users\Nisi\ntuser.dat.LOG2 ()
O4 - Startup: C:\Users\Nisi\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf ()
O4 - Startup: C:\Users\Nisi\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms ()
O4 - Startup: C:\Users\Nisi\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms ()
O4 - Startup: C:\Users\Nisi\ntuser.dat{7013ea63-eb03-11e1-9521-4c809313b7cf}.TM.blf ()
O4 - Startup: C:\Users\Nisi\ntuser.dat{7013ea63-eb03-11e1-9521-4c809313b7cf}.TMContainer00000000000000000001.regtrans-ms ()
O4 - Startup: C:\Users\Nisi\ntuser.dat{7013ea63-eb03-11e1-9521-4c809313b7cf}.TMContainer00000000000000000002.regtrans-ms ()
O4 - Startup: C:\Users\Nisi\ntuser.ini ()
O4 - Startup: C:\Users\Nisi\Pictures [2013.03.22 15:01:33 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Nisi\Recent [2011.11.28 20:50:37 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Nisi\Roaming [2011.11.25 04:53:17 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\Nisi\Saved Games [2012.07.13 08:55:21 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Nisi\Searches [2012.07.13 08:55:21 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Nisi\SendTo [2011.11.28 20:50:37 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Nisi\Startmenü [2011.11.28 20:50:37 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Nisi\SyncUP [2012.01.14 23:06:48 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\Nisi\Videos [2012.07.13 08:55:20 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Nisi\Vorlagen [2011.11.28 20:50:37 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Public\Desktop [2013.04.11 07:22:07 | 000,000,000 | RH-D | M]
O4 - Startup: C:\Users\Public\Documents [2012.06.13 18:35:33 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Public\Downloads [2009.07.14 06:54:24 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Public\Favorites [2009.07.14 04:34:59 | 000,000,000 | RH-D | M]
O4 - Startup: C:\Users\Public\Libraries [2011.12.26 17:42:50 | 000,000,000 | RH-D | M]
O4 - Startup: C:\Users\Public\Music [2011.11.25 05:07:39 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\Public\NTUSER.DAT ()
O4 - Startup: C:\Users\Public\NTUSER.DAT.LOG1 ()
O4 - Startup: C:\Users\Public\NTUSER.DAT.LOG2 ()
O4 - Startup: C:\Users\Public\NTUSER.DAT{0344fc72-9f62-11e2-91a8-4c809313b7cf}.TM.blf ()
O4 - Startup: C:\Users\Public\NTUSER.DAT{0344fc72-9f62-11e2-91a8-4c809313b7cf}.TMContainer00000000000000000001.regtrans-ms ()
O4 - Startup: C:\Users\Public\NTUSER.DAT{0344fc72-9f62-11e2-91a8-4c809313b7cf}.TMContainer00000000000000000002.regtrans-ms ()
O4 - Startup: C:\Users\Public\NTUSER.DAT{3c482498-9560-11e2-9a4b-4c809313b7cf}.TM.blf ()
O4 - Startup: C:\Users\Public\NTUSER.DAT{3c482498-9560-11e2-9a4b-4c809313b7cf}.TMContainer00000000000000000001.regtrans-ms ()
O4 - Startup: C:\Users\Public\NTUSER.DAT{3c482498-9560-11e2-9a4b-4c809313b7cf}.TMContainer00000000000000000002.regtrans-ms ()
O4 - Startup: C:\Users\Public\Pictures [2011.11.24 21:22:21 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\Public\Recorded TV [2012.08.20 22:32:11 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Public\Roaming [2011.11.25 04:53:17 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\Public\Videos [2011.11.25 05:07:21 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\UpdatusUser\Anwendungsdaten [2011.11.25 04:28:16 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\UpdatusUser\AppData [2011.11.25 04:28:16 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Users\UpdatusUser\Contacts [2011.11.25 04:28:17 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\UpdatusUser\Cookies [2011.11.25 04:28:16 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\UpdatusUser\Desktop [2011.11.28 23:54:41 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\UpdatusUser\Documents [2011.11.25 04:28:16 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\UpdatusUser\Downloads [2009.07.14 04:34:59 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\UpdatusUser\Druckumgebung [2011.11.25 04:28:16 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\UpdatusUser\Eigene Dateien [2011.11.25 04:28:16 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\UpdatusUser\Favorites [2009.07.14 04:34:59 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\UpdatusUser\Links [2009.07.14 04:34:59 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\UpdatusUser\Lokale Einstellungen [2011.11.25 04:28:16 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\UpdatusUser\Music [2009.07.14 04:34:59 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\UpdatusUser\Netzwerkumgebung [2011.11.25 04:28:16 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\UpdatusUser\NTUSER.DAT ()
O4 - Startup: C:\Users\UpdatusUser\ntuser.dat.LOG1 ()
O4 - Startup: C:\Users\UpdatusUser\ntuser.dat.LOG2 ()
O4 - Startup: C:\Users\UpdatusUser\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf ()
O4 - Startup: C:\Users\UpdatusUser\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms ()
O4 - Startup: C:\Users\UpdatusUser\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms ()
O4 - Startup: C:\Users\UpdatusUser\NTUSER.DAT{04dec96d-3e3e-11e2-8dbb-4c809313b7cf}.TM.blf ()
O4 - Startup: C:\Users\UpdatusUser\NTUSER.DAT{04dec96d-3e3e-11e2-8dbb-4c809313b7cf}.TMContainer00000000000000000001.regtrans-ms ()
O4 - Startup: C:\Users\UpdatusUser\NTUSER.DAT{04dec96d-3e3e-11e2-8dbb-4c809313b7cf}.TMContainer00000000000000000002.regtrans-ms ()
O4 - Startup: C:\Users\UpdatusUser\NTUSER.DAT{14011488-47af-11e2-9b08-4c809313b7cf}.TM.blf ()
O4 - Startup: C:\Users\UpdatusUser\NTUSER.DAT{14011488-47af-11e2-9b08-4c809313b7cf}.TMContainer00000000000000000001.regtrans-ms ()
O4 - Startup: C:\Users\UpdatusUser\NTUSER.DAT{14011488-47af-11e2-9b08-4c809313b7cf}.TMContainer00000000000000000002.regtrans-ms ()
O4 - Startup: C:\Users\UpdatusUser\NTUSER.DAT{4023e0a5-ccb7-11e1-8586-4c809313b7cf}.TM.blf ()
O4 - Startup: C:\Users\UpdatusUser\NTUSER.DAT{4023e0a5-ccb7-11e1-8586-4c809313b7cf}.TMContainer00000000000000000001.regtrans-ms ()
O4 - Startup: C:\Users\UpdatusUser\NTUSER.DAT{4023e0a5-ccb7-11e1-8586-4c809313b7cf}.TMContainer00000000000000000002.regtrans-ms ()
O4 - Startup: C:\Users\UpdatusUser\NTUSER.DAT{503cbcda-47ad-11e2-9901-4c809313b7cf}.TM.blf ()
O4 - Startup: C:\Users\UpdatusUser\NTUSER.DAT{503cbcda-47ad-11e2-9901-4c809313b7cf}.TMContainer00000000000000000001.regtrans-ms ()
O4 - Startup: C:\Users\UpdatusUser\NTUSER.DAT{503cbcda-47ad-11e2-9901-4c809313b7cf}.TMContainer00000000000000000002.regtrans-ms ()
O4 - Startup: C:\Users\UpdatusUser\NTUSER.DAT{7013ea5f-eb03-11e1-9521-4c809313b7cf}.TM.blf ()
O4 - Startup: C:\Users\UpdatusUser\NTUSER.DAT{7013ea5f-eb03-11e1-9521-4c809313b7cf}.TMContainer00000000000000000001.regtrans-ms ()
O4 - Startup: C:\Users\UpdatusUser\NTUSER.DAT{7013ea5f-eb03-11e1-9521-4c809313b7cf}.TMContainer00000000000000000002.regtrans-ms ()
O4 - Startup: C:\Users\UpdatusUser\NTUSER.DAT{e4cfab72-3cb8-11e2-aab9-4c809313b7cf}.TM.blf ()
O4 - Startup: C:\Users\UpdatusUser\NTUSER.DAT{e4cfab72-3cb8-11e2-aab9-4c809313b7cf}.TMContainer00000000000000000001.regtrans-ms ()
O4 - Startup: C:\Users\UpdatusUser\NTUSER.DAT{e4cfab72-3cb8-11e2-aab9-4c809313b7cf}.TMContainer00000000000000000002.regtrans-ms ()
O4 - Startup: C:\Users\UpdatusUser\ntuser.ini ()
O4 - Startup: C:\Users\UpdatusUser\Pictures [2009.07.14 04:34:59 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\UpdatusUser\Recent [2011.11.25 04:28:16 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\UpdatusUser\Roaming [2011.11.25 04:53:17 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\UpdatusUser\Saved Games [2009.07.14 04:34:59 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\UpdatusUser\Searches [2011.11.25 04:28:17 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\UpdatusUser\SendTo [2011.11.25 04:28:16 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\UpdatusUser\Startmenü [2011.11.25 04:28:16 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\UpdatusUser\Videos [2009.07.14 04:34:59 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\UpdatusUser\Vorlagen [2011.11.25 04:28:16 | 000,000,000 | -HSD | M]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra Button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000010 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000010 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16:64bit: - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 10.5.0)
O16:64bit: - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 10.5.0)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 10.17.2)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{46CD7530-E428-4AA1-B771-D02512DEA408}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5AE2C78F-0852-4906-82A1-BCD7DED5A405}: DhcpNameServer = 192.168.2.1
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\oledb - No CLSID value found
O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\mso-offdap11 - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~2\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
O18:64bit: - Protocol\Filter\text/xml - No CLSID value found
O20:64bit: - AppInit_DLLs: (C:\Windows\system32\nvinitx.dll) - C:\Windows\SysNative\nvinitx.dll (NVIDIA Corporation)
O20 - AppInit_DLLs: (C:\Windows\SysWOW64\nvinit.dll) - C:\Windows\SysWOW64\nvinit.dll (NVIDIA Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013.04.12 21:39:44 | 000,000,000 | R--D | C] -- C:\Users\Admin\Videos
[2013.04.12 21:39:44 | 000,000,000 | R--D | C] -- C:\Users\Admin\Pictures
[2013.04.12 21:39:44 | 000,000,000 | R--D | C] -- C:\Users\Admin\Music
[2013.04.12 21:39:44 | 000,000,000 | R--D | C] -- C:\Users\Admin\Links
[2013.04.12 21:39:44 | 000,000,000 | R--D | C] -- C:\Users\Admin\Favorites
[2013.04.12 21:39:44 | 000,000,000 | R--D | C] -- C:\Users\Admin\Downloads
[2013.04.12 21:39:44 | 000,000,000 | R--D | C] -- C:\Users\Admin\Documents
[2013.04.12 21:39:44 | 000,000,000 | R--D | C] -- C:\Users\Admin\Desktop
[2013.04.12 21:39:44 | 000,000,000 | -HSD | C] -- C:\Users\Admin\Vorlagen
[2013.04.12 21:39:44 | 000,000,000 | -HSD | C] -- C:\Users\Admin\Startmenü
[2013.04.12 21:39:44 | 000,000,000 | -HSD | C] -- C:\Users\Admin\SendTo
[2013.04.12 21:39:44 | 000,000,000 | -HSD | C] -- C:\Users\Admin\Recent
[2013.04.12 21:39:44 | 000,000,000 | -HSD | C] -- C:\Users\Admin\Netzwerkumgebung
[2013.04.12 21:39:44 | 000,000,000 | -HSD | C] -- C:\Users\Admin\Lokale Einstellungen
[2013.04.12 21:39:44 | 000,000,000 | -HSD | C] -- C:\Users\Admin\Eigene Dateien
[2013.04.12 21:39:44 | 000,000,000 | -HSD | C] -- C:\Users\Admin\Druckumgebung
[2013.04.12 21:39:44 | 000,000,000 | -HSD | C] -- C:\Users\Admin\Cookies
[2013.04.12 21:39:44 | 000,000,000 | -HSD | C] -- C:\Users\Admin\Anwendungsdaten
[2013.04.12 21:39:44 | 000,000,000 | -H-D | C] -- C:\Users\Admin\AppData
[2013.04.12 21:39:44 | 000,000,000 | ---D | C] -- C:\Users\Admin\Saved Games
[2013.04.12 21:39:44 | 000,000,000 | ---D | C] -- C:\Users\Admin\Roaming
[2013.04.11 07:22:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013.04.11 07:22:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013.04.11 07:22:01 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2013.04.11 07:22:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2013.04.10 20:35:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
[2013.04.10 20:34:44 | 000,352,784 | ---- | C] (Kaspersky Lab) -- C:\Windows\SysNative\drivers\1558031.sys
[2013.04.10 20:34:44 | 000,157,712 | ---- | C] (Kaspersky Lab) -- C:\Windows\SysNative\drivers\15580311.sys
[2013.04.10 20:34:44 | 000,040,464 | ---- | C] (Kaspersky Lab) -- C:\Windows\SysNative\drivers\15580312.sys
[2013.03.25 18:31:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
[2013.03.25 18:31:18 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2013.03.17 21:39:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
[2013.03.17 21:38:55 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2013.03.17 21:38:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Silverlight
 
========== Files - Modified Within 30 Days ==========
 
[2013.04.12 22:00:37 | 000,021,072 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013.04.12 22:00:37 | 000,021,072 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013.04.12 21:58:30 | 001,612,484 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013.04.12 21:58:30 | 000,696,870 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
[2013.04.12 21:58:30 | 000,652,148 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013.04.12 21:58:30 | 000,148,134 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
[2013.04.12 21:58:30 | 000,121,080 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013.04.12 21:51:39 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013.04.12 21:51:19 | 2064,252,927 | -HS- | M] () -- C:\hiberfil.sys
[2013.04.12 21:50:42 | 000,000,422 | ---- | M] () -- C:\Windows\tasks\SystemToolsDailyTest.job
[2013.04.12 20:13:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013.04.11 07:22:07 | 000,001,115 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2013.04.11 03:45:16 | 000,349,888 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2013.04.04 14:50:32 | 000,025,928 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2013.04.02 13:40:15 | 000,000,564 | ---- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
[2013.03.25 18:31:53 | 000,001,912 | ---- | M] () -- C:\Windows\epplauncher.mif
[2013.03.20 19:57:26 | 709,350,934 | ---- | M] () -- C:\Windows\MEMORY.DMP
 
========== Files Created - No Company Name ==========
 
[2013.04.11 07:22:07 | 000,001,115 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2013.04.11 06:51:50 | 000,000,884 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013.03.25 18:31:27 | 000,002,079 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2013.03.25 18:27:46 | 000,001,912 | ---- | C] () -- C:\Windows\epplauncher.mif
[2012.10.05 10:57:04 | 000,000,917 | ---- | C] () -- C:\Windows\wiso.ini
[2012.06.13 16:48:47 | 000,016,098 | ---- | C] () -- C:\Windows\German2.ini
[2011.12.20 12:56:39 | 000,000,400 | ---- | C] () -- C:\Windows\ODBC.INI
[2011.11.25 06:16:57 | 000,004,273 | RH-- | C] () -- \dell.sdr
[2011.11.25 05:48:56 | 000,066,856 | ---- | C] () -- C:\Windows\SysWow64\SynTPEnhPS.dll
[2011.11.25 05:48:04 | 000,963,116 | ---- | C] () -- C:\Windows\SysWow64\igkrng600.bin
[2011.11.25 05:48:00 | 000,218,304 | ---- | C] () -- C:\Windows\SysWow64\igfcg600m.bin
[2011.11.25 05:47:59 | 000,056,832 | ---- | C] () -- C:\Windows\SysWow64\igdde32.dll
[2011.11.25 05:47:58 | 000,145,804 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng600.bin
[2011.11.25 05:47:57 | 013,903,872 | ---- | C] () -- C:\Windows\SysWow64\ig4icd32.dll
[2011.11.24 21:18:22 | 2064,252,927 | -HS- | C] () -- \hiberfil.sys
[2007.11.07 08:53:12 | 000,242,176 | ---- | C] () -- \VC_RED.MSI
[2007.11.07 08:50:40 | 001,927,956 | ---- | C] () -- \VC_RED.cab
[2007.11.07 08:44:20 | 000,855,040 | ---- | C] () -- \install.exe
[2007.11.07 08:44:20 | 000,096,272 | ---- | C] () -- \install.res.1036.dll
[2007.11.07 08:44:20 | 000,095,248 | ---- | C] () -- \install.res.3082.dll
[2007.11.07 08:44:20 | 000,095,248 | ---- | C] () -- \install.res.1031.dll
[2007.11.07 08:44:20 | 000,094,224 | ---- | C] () -- \install.res.1040.dll
[2007.11.07 08:44:20 | 000,090,128 | ---- | C] () -- \install.res.1033.dll
[2007.11.07 08:44:20 | 000,080,400 | ---- | C] () -- \install.res.1041.dll
[2007.11.07 08:44:20 | 000,078,864 | ---- | C] () -- \install.res.1042.dll
[2007.11.07 08:44:20 | 000,075,280 | ---- | C] () -- \install.res.1028.dll
[2007.11.07 08:44:20 | 000,074,768 | ---- | C] () -- \install.res.2052.dll
[2007.11.07 08:00:40 | 000,005,686 | ---- | C] () -- \vcredist.bmp
[2007.11.07 08:00:40 | 000,001,110 | ---- | C] () -- \globdata.ini
[2007.11.07 08:00:40 | 000,000,843 | ---- | C] () -- \install.ini
 
========== ZeroAccess Check ==========
 
[2009.07.14 06:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012.06.09 07:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 06:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 03:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.21 05:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 03:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
 
========== LOP Check ==========
 
[2013.04.12 21:39:44 | 000,000,000 | -HSD | M] -- C:\Users\Admin\Anwendungsdaten
[2013.04.12 21:39:45 | 000,000,000 | -H-D | M] -- C:\Users\Admin\AppData
[2013.04.12 21:39:44 | 000,000,000 | -HSD | M] -- C:\Users\Admin\Cookies
[2009.07.14 04:34:59 | 000,000,000 | R--D | M] -- C:\Users\Admin\Desktop
[2013.04.12 21:39:44 | 000,000,000 | R--D | M] -- C:\Users\Admin\Documents
[2009.07.14 04:34:59 | 000,000,000 | R--D | M] -- C:\Users\Admin\Downloads
[2013.04.12 21:39:44 | 000,000,000 | -HSD | M] -- C:\Users\Admin\Druckumgebung
[2013.04.12 21:39:44 | 000,000,000 | -HSD | M] -- C:\Users\Admin\Eigene Dateien
[2011.11.25 05:05:19 | 000,000,000 | R--D | M] -- C:\Users\Admin\Favorites
[2009.07.14 04:34:59 | 000,000,000 | R--D | M] -- C:\Users\Admin\Links
[2013.04.12 21:39:44 | 000,000,000 | -HSD | M] -- C:\Users\Admin\Lokale Einstellungen
[2009.07.14 04:34:59 | 000,000,000 | R--D | M] -- C:\Users\Admin\Music
[2013.04.12 21:39:44 | 000,000,000 | -HSD | M] -- C:\Users\Admin\Netzwerkumgebung
[2009.07.14 04:34:59 | 000,000,000 | R--D | M] -- C:\Users\Admin\Pictures
[2013.04.12 21:39:44 | 000,000,000 | -HSD | M] -- C:\Users\Admin\Recent
[2011.11.25 04:53:17 | 000,000,000 | ---D | M] -- C:\Users\Admin\Roaming
[2009.07.14 04:34:59 | 000,000,000 | ---D | M] -- C:\Users\Admin\Saved Games
[2013.04.12 21:39:44 | 000,000,000 | -HSD | M] -- C:\Users\Admin\SendTo
[2013.04.12 21:39:44 | 000,000,000 | -HSD | M] -- C:\Users\Admin\Startmenü
[2009.07.14 04:34:59 | 000,000,000 | R--D | M] -- C:\Users\Admin\Videos
[2013.04.12 21:39:44 | 000,000,000 | -HSD | M] -- C:\Users\Admin\Vorlagen
[2012.10.16 21:00:33 | 000,000,000 | ---D | M] -- C:\Users\All Users\34BE82C4-E596-4e99-A191-52C6199EBF69
[2011.11.28 20:50:24 | 000,000,000 | -HSD | M] -- C:\Users\All Users\Anwendungsdaten
[2009.07.14 07:08:56 | 000,000,000 | -HSD | M] -- C:\Users\All Users\Application Data
[2013.03.08 13:32:35 | 000,000,000 | ---D | M] -- C:\Users\All Users\Buhl Data Service GmbH
[2009.07.14 07:08:56 | 000,000,000 | -HSD | M] -- C:\Users\All Users\Desktop
[2009.07.14 07:08:56 | 000,000,000 | -HSD | M] -- C:\Users\All Users\Documents
[2011.11.28 20:50:24 | 000,000,000 | -HSD | M] -- C:\Users\All Users\Dokumente
[2011.11.28 20:50:24 | 000,000,000 | -HSD | M] -- C:\Users\All Users\Favoriten
[2009.07.14 07:08:56 | 000,000,000 | -HSD | M] -- C:\Users\All Users\Favorites
[2013.01.05 18:34:32 | 000,000,000 | ---D | M] -- C:\Users\All Users\Firefly Studios
[2011.11.25 05:06:35 | 000,000,000 | ---D | M] -- C:\Users\All Users\install_clap
[2013.04.12 00:02:04 | 000,000,000 | ---D | M] -- C:\Users\All Users\LightsOut
[2013.04.10 21:18:39 | 000,000,000 | ---D | M] -- C:\Users\All Users\Package Cache
[2011.12.21 12:00:03 | 000,000,000 | ---D | M] -- C:\Users\All Users\PCDr
[2011.11.25 05:21:45 | 000,000,000 | ---D | M] -- C:\Users\All Users\PhotoShow Shared Assets
[2011.11.25 04:53:17 | 000,000,000 | ---D | M] -- C:\Users\All Users\Roaming
[2009.07.14 07:08:56 | 000,000,000 | -HSD | M] -- C:\Users\All Users\Start Menu
[2011.11.28 20:50:24 | 000,000,000 | -HSD | M] -- C:\Users\All Users\Startmenü
[2011.11.25 05:07:05 | 000,000,000 | ---D | M] -- C:\Users\All Users\Temp
[2009.07.14 07:08:56 | 000,000,000 | -HSD | M] -- C:\Users\All Users\Templates
[2011.11.25 05:22:36 | 000,000,000 | ---D | M] -- C:\Users\All Users\Uninstall
[2011.11.28 20:50:24 | 000,000,000 | -HSD | M] -- C:\Users\All Users\Vorlagen
[2011.11.28 20:50:24 | 000,000,000 | -HSD | M] -- C:\Users\Default\Anwendungsdaten
[2009.07.14 05:20:08 | 000,000,000 | -H-D | M] -- C:\Users\Default\AppData
[2009.07.14 07:08:56 | 000,000,000 | -HSD | M] -- C:\Users\Default\Application Data
[2009.07.14 07:08:56 | 000,000,000 | -HSD | M] -- C:\Users\Default\Cookies
[2009.07.14 04:34:59 | 000,000,000 | R--D | M] -- C:\Users\Default\Desktop
[2011.11.28 20:50:24 | 000,000,000 | R--D | M] -- C:\Users\Default\Documents
[2009.07.14 04:34:59 | 000,000,000 | R--D | M] -- C:\Users\Default\Downloads
[2011.11.28 20:50:24 | 000,000,000 | -HSD | M] -- C:\Users\Default\Druckumgebung
[2011.11.28 20:50:24 | 000,000,000 | -HSD | M] -- C:\Users\Default\Eigene Dateien
[2011.11.25 05:05:19 | 000,000,000 | R--D | M] -- C:\Users\Default\Favorites
[2009.07.14 04:34:59 | 000,000,000 | R--D | M] -- C:\Users\Default\Links
[2009.07.14 07:08:56 | 000,000,000 | -HSD | M] -- C:\Users\Default\Local Settings
[2011.11.28 20:50:24 | 000,000,000 | -HSD | M] -- C:\Users\Default\Lokale Einstellungen
[2009.07.14 04:34:59 | 000,000,000 | R--D | M] -- C:\Users\Default\Music
[2009.07.14 07:08:56 | 000,000,000 | -HSD | M] -- C:\Users\Default\My Documents
[2009.07.14 07:08:56 | 000,000,000 | -HSD | M] -- C:\Users\Default\NetHood
[2011.11.28 20:50:24 | 000,000,000 | -HSD | M] -- C:\Users\Default\Netzwerkumgebung
[2009.07.14 04:34:59 | 000,000,000 | R--D | M] -- C:\Users\Default\Pictures
[2009.07.14 07:08:56 | 000,000,000 | -HSD | M] -- C:\Users\Default\PrintHood
[2009.07.14 07:08:56 | 000,000,000 | -HSD | M] -- C:\Users\Default\Recent
[2011.11.25 04:53:17 | 000,000,000 | ---D | M] -- C:\Users\Default\Roaming
[2009.07.14 04:34:59 | 000,000,000 | ---D | M] -- C:\Users\Default\Saved Games
[2009.07.14 07:08:56 | 000,000,000 | -HSD | M] -- C:\Users\Default\SendTo
[2009.07.14 07:08:56 | 000,000,000 | -HSD | M] -- C:\Users\Default\Start Menu
[2011.11.28 20:50:24 | 000,000,000 | -HSD | M] -- C:\Users\Default\Startmenü
[2009.07.14 07:08:56 | 000,000,000 | -HSD | M] -- C:\Users\Default\Templates
[2009.07.14 04:34:59 | 000,000,000 | R--D | M] -- C:\Users\Default\Videos
[2011.11.28 20:50:24 | 000,000,000 | -HSD | M] -- C:\Users\Default\Vorlagen
[2011.11.28 20:50:37 | 000,000,000 | -HSD | M] -- C:\Users\Nisi\Anwendungsdaten
[2011.11.28 20:50:37 | 000,000,000 | -H-D | M] -- C:\Users\Nisi\AppData
[2011.12.22 23:21:53 | 000,000,000 | ---D | M] -- C:\Users\Nisi\Application Data
[2012.07.13 08:55:20 | 000,000,000 | R--D | M] -- C:\Users\Nisi\Contacts
[2011.11.28 20:50:37 | 000,000,000 | -HSD | M] -- C:\Users\Nisi\Cookies
[2013.04.12 21:52:46 | 000,000,000 | R--D | M] -- C:\Users\Nisi\Desktop
[2013.04.04 21:05:58 | 000,000,000 | R--D | M] -- C:\Users\Nisi\Documents
[2013.04.12 21:52:46 | 000,000,000 | R--D | M] -- C:\Users\Nisi\Downloads
[2011.11.28 20:50:37 | 000,000,000 | -HSD | M] -- C:\Users\Nisi\Druckumgebung
[2011.11.28 20:50:37 | 000,000,000 | -HSD | M] -- C:\Users\Nisi\Eigene Dateien
[2012.07.13 08:55:20 | 000,000,000 | R--D | M] -- C:\Users\Nisi\Favorites
[2012.07.13 08:55:21 | 000,000,000 | R--D | M] -- C:\Users\Nisi\Links
[2011.11.28 20:50:37 | 000,000,000 | -HSD | M] -- C:\Users\Nisi\Lokale Einstellungen
[2011.12.01 23:21:14 | 000,000,000 | ---D | M] -- C:\Users\Nisi\Mein Backup Datei
[2013.01.13 20:00:31 | 000,000,000 | R--D | M] -- C:\Users\Nisi\Music
[2011.11.28 20:50:37 | 000,000,000 | -HSD | M] -- C:\Users\Nisi\Netzwerkumgebung
[2013.03.22 15:01:33 | 000,000,000 | R--D | M] -- C:\Users\Nisi\Pictures
[2011.11.28 20:50:37 | 000,000,000 | -HSD | M] -- C:\Users\Nisi\Recent
[2011.11.25 04:53:17 | 000,000,000 | ---D | M] -- C:\Users\Nisi\Roaming
[2012.07.13 08:55:21 | 000,000,000 | R--D | M] -- C:\Users\Nisi\Saved Games
[2012.07.13 08:55:21 | 000,000,000 | R--D | M] -- C:\Users\Nisi\Searches
[2011.11.28 20:50:37 | 000,000,000 | -HSD | M] -- C:\Users\Nisi\SendTo
[2011.11.28 20:50:37 | 000,000,000 | -HSD | M] -- C:\Users\Nisi\Startmenü
[2012.01.14 23:06:48 | 000,000,000 | ---D | M] -- C:\Users\Nisi\SyncUP
[2012.07.13 08:55:20 | 000,000,000 | R--D | M] -- C:\Users\Nisi\Videos
[2011.11.28 20:50:37 | 000,000,000 | -HSD | M] -- C:\Users\Nisi\Vorlagen
[2013.04.11 07:22:07 | 000,000,000 | RH-D | M] -- C:\Users\Public\Desktop
[2012.06.13 18:35:33 | 000,000,000 | R--D | M] -- C:\Users\Public\Documents
[2009.07.14 06:54:24 | 000,000,000 | R--D | M] -- C:\Users\Public\Downloads
[2009.07.14 04:34:59 | 000,000,000 | RH-D | M] -- C:\Users\Public\Favorites
[2011.12.26 17:42:50 | 000,000,000 | RH-D | M] -- C:\Users\Public\Libraries
[2011.11.25 05:07:39 | 000,000,000 | ---D | M] -- C:\Users\Public\Music
[2011.11.24 21:22:21 | 000,000,000 | ---D | M] -- C:\Users\Public\Pictures
[2012.08.20 22:32:11 | 000,000,000 | R--D | M] -- C:\Users\Public\Recorded TV
[2011.11.25 04:53:17 | 000,000,000 | ---D | M] -- C:\Users\Public\Roaming
[2011.11.25 05:07:21 | 000,000,000 | R--D | M] -- C:\Users\Public\Videos
[2011.11.25 04:28:16 | 000,000,000 | -HSD | M] -- C:\Users\UpdatusUser\Anwendungsdaten
[2011.11.25 04:28:16 | 000,000,000 | -H-D | M] -- C:\Users\UpdatusUser\AppData
[2011.11.25 04:28:17 | 000,000,000 | ---D | M] -- C:\Users\UpdatusUser\Contacts
[2011.11.25 04:28:16 | 000,000,000 | -HSD | M] -- C:\Users\UpdatusUser\Cookies
[2011.11.28 23:54:41 | 000,000,000 | R--D | M] -- C:\Users\UpdatusUser\Desktop
[2011.11.25 04:28:16 | 000,000,000 | R--D | M] -- C:\Users\UpdatusUser\Documents
[2009.07.14 04:34:59 | 000,000,000 | R--D | M] -- C:\Users\UpdatusUser\Downloads
[2011.11.25 04:28:16 | 000,000,000 | -HSD | M] -- C:\Users\UpdatusUser\Druckumgebung
[2011.11.25 04:28:16 | 000,000,000 | -HSD | M] -- C:\Users\UpdatusUser\Eigene Dateien
[2009.07.14 04:34:59 | 000,000,000 | R--D | M] -- C:\Users\UpdatusUser\Favorites
[2009.07.14 04:34:59 | 000,000,000 | R--D | M] -- C:\Users\UpdatusUser\Links
[2011.11.25 04:28:16 | 000,000,000 | -HSD | M] -- C:\Users\UpdatusUser\Lokale Einstellungen
[2009.07.14 04:34:59 | 000,000,000 | R--D | M] -- C:\Users\UpdatusUser\Music
[2011.11.25 04:28:16 | 000,000,000 | -HSD | M] -- C:\Users\UpdatusUser\Netzwerkumgebung
[2009.07.14 04:34:59 | 000,000,000 | R--D | M] -- C:\Users\UpdatusUser\Pictures
[2011.11.25 04:28:16 | 000,000,000 | -HSD | M] -- C:\Users\UpdatusUser\Recent
[2011.11.25 04:53:17 | 000,000,000 | ---D | M] -- C:\Users\UpdatusUser\Roaming
[2009.07.14 04:34:59 | 000,000,000 | ---D | M] -- C:\Users\UpdatusUser\Saved Games
[2011.11.25 04:28:17 | 000,000,000 | ---D | M] -- C:\Users\UpdatusUser\Searches
[2011.11.25 04:28:16 | 000,000,000 | -HSD | M] -- C:\Users\UpdatusUser\SendTo
[2011.11.25 04:28:16 | 000,000,000 | -HSD | M] -- C:\Users\UpdatusUser\Startmenü
[2009.07.14 04:34:59 | 000,000,000 | R--D | M] -- C:\Users\UpdatusUser\Videos
[2011.11.25 04:28:16 | 000,000,000 | -HSD | M] -- C:\Users\UpdatusUser\Vorlagen
 
========== Purity Check ==========
 
 

< End of report >
         
Achso ich habe nen Admin Account erstellt. Jetzt im nachhinein kommt mir das total dumm, vor weil dafür war es ja schon zuspät.

Sorry!

MaLi

Alt 12.04.2013, 21:12   #13
aharonov
/// TB-Ausbilder
 
Telekom Brief Zeus/Zbot - Standard

Telekom Brief Zeus/Zbot



Sieht aus, als wäre gründlich entfernt worden.
Wie läuft denn der Rechner?


Schritt 1
  • Starte bitte die OTL.exe.
  • Kopiere nun den folgenden Inhalt aus der Codebox in die Textbox.
    Wichtig: Falls du deinen Benutzernamen im Log unkenntlich gemacht hast (z.B. durch ***), dann mach das hier wieder rückgängig.
Code:
ATTFilter
:commands
[emptytemp]
         
  • Schliesse nun bitte alle anderen Programme.
  • Klicke jetzt auf den Fix Button.
  • OTL kann gegebenfalls einen Neustart verlangen. Diesen bitte zulassen.
  • Nach dem Neustart findest du ein Textdokument auf deinem Desktop.
    (Auch zu finden unter C:\_OTL\MovedFiles\<date_time>.log)
  • Kopiere nun dessen Inhalt hier in deinen Thread.



Schritt 2

Lade das Setup des ESET Online Scanners herunter und speichere es auf den Desktop.
  • Schliesse evtl. vorhandene externe Festplatten und USB-Sticks an den Rechner an.
  • Deaktiviere jetzt temporär für diesen Scan dein Antivirenprogramm und die Firewall.
    (Danach nicht vergessen, sie wieder einzuschalten.)
  • Starte nun die heruntergeladene esetsmartinstaller_enu.exe.
  • Setze den Haken bei Yes, I accept the Terms of Use und drücke Start.
  • Warte bis die Komponenten heruntergeladen sind.
  • Setze den Haken bei Scan archives.
  • Gehe sicher, dass bei Remove found Threats kein Haken gesetzt ist.
  • Drücke dann auf Start.
  • Die Signaturen werden heruntergeladen und der Scan startet automatisch.
    Hinweis: Dieser Scan kann unter Umständen ziemlich lange dauern!
  • Falls nach Beendigung des Scans Funde angezeigt werden, dann:
    • Drücke auf List of found threats.
    • Klicke dann auf Export to text file... und speichere die Textdatei als ESET.txt auf den Desktop.
    • Drücke danach auf << Back.
  • Schliesse nun den Scanner mit einem Klick auf Finish.
Poste bitte den Inhalt der ESET.txt oder teile mir mit, wenn es keine Funde gegeben hat.



Schritt 3

Downloade dir bitte SecurityCheck (Link 2).
  • Speichere es auf dem Desktop.
  • Starte SecurityCheck.exe und folge den Anweisungen in der DOS-Box.
    Vista und Win7 User mit Rechtsklick "als Administrator starten"
  • Wenn der Scan beendet wurde, sollte sich ein Textdokument (checkup.txt) öffnen.
Poste den Inhalt bitte hier.



Bitte poste in deiner nächsten Antwort:
  • Fixlog von OTL
  • Log von ESET
  • Log von SecurityCheck
__________________
cheers,
Leo

Alt 13.04.2013, 03:49   #14
Malibouman
 
Telekom Brief Zeus/Zbot - Standard

Telekom Brief Zeus/Zbot



So also der Rechner läuft ohne erkennbare Probleme, aber ich habe das ja vorher auch nicht gemerkt.

OTL.txt

Code:
ATTFilter
All processes killed
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Admin
-> No Temporary Internet Files cache folder defined!
 
User: All Users
->Temp folder emptied: 358984 bytes
-> No Temporary Internet Files cache folder defined!
 
User: Default
-> No Temporary Internet Files cache folder defined!
 
User: Default User
-> No Temporary Internet Files cache folder defined!
 
User: Nisi
-> No Temporary Internet Files cache folder defined!
 
User: Public
-> No Temporary Internet Files cache folder defined!
 
User: UpdatusUser
-> No Temporary Internet Files cache folder defined!
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 346829268 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 85029 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 331,00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 04122013_221824
         
Eset hat nichts gefunden.

checkup.txt
Code:
ATTFilter
 Results of screen317's Security Check version 0.99.62  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 9  
``````````````Antivirus/Firewall Check:`````````````` 
Microsoft Security Essentials   
  (On Access scanning disabled!) 
 Error obtaining update status for antivirus!  
`````````Anti-malware/Other Utilities Check:````````` 
 Malwarebytes Anti-Malware Version 1.75.0.1300  
 JavaFX 2.1.1    
 Java(TM) 6 Update 27  
 Java 7 Update 17  
 Adobe Flash Player 11.7.700.169  
 Adobe Reader 10.1.5 Adobe Reader out of Date!  
 Mozilla Firefox 14.0.1 Firefox out of Date!  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 Malwarebytes' Anti-Malware mbamscheduler.exe   
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  
````````````````````End of Log``````````````````````
         
Gruß Mali

Alt 13.04.2013, 12:11   #15
aharonov
/// TB-Ausbilder
 
Telekom Brief Zeus/Zbot - Standard

Telekom Brief Zeus/Zbot



Hallo Mali,

prima, das sieht wieder besser aus.
Bleiben noch Updates und aufräumen.


Schritt 1

Dein Java ist nicht mehr aktuell. Ältere Versionen enthalten Sicherheitslücken, die von Malware zur Infizierung per Drive-by Download missbraucht werden können.

Die aktuelle Version ist Java 7 Update 17.
  • Gehe zu
    Start --> Systemsteuerung --> Programme und Funktionen (bei Vista / Win 7)
    Start --> Systemsteuerung --> Software (bei Win XP)
    und deinstalliere alle älteren Java-Versionen.



Schritt 2

Dein Firefox ist nicht mehr aktuell.
Starte deinen Firefox als Administrator, klicke Hilfe --> Über Firefox und führe das angebotene Update durch.
Wiederhole diesen Schritt, bis Firefox als aktuell angezeigt wird.



Schritt 3

Die Version deines Adobe PDF Readers ist veraltet, wir müssen ihn updaten:
  • Deinstalliere bitte deine aktuelle Version von Adobe Reader über
    Start --> Systemsteuerung --> Software (bei Windows XP)
    Start --> Systemsteuerung --> Programme und Funktionen (bei Vista / Windows 7)
  • Besuche diese Seite von Adobe.
  • Entferne gegebenenfalls den Haken bei McAfee Security Scan bzw. Google Chrome.
  • Drücke auf Jetzt herunterladen und installiere die neuste Version.



Cleanup

Zum Schluss werden wir jetzt noch unsere Tools (inklusive der Quarantäne-Ordner) wegräumen, die verseuchten Systemwiederherstellungspunkte löschen und alle Einstellungen wieder herrichten. Auch diese Schritte sind noch wichtig und sollten in der angegebenen Reihenfolge ausgeführt werden.
  1. Falls zu Beginn defogger verwendet wurde, dann starte defogger und drücke den Button Re-enable.
  2. Bei MBAM würd ich dir unbedingt empfehlen, es zu behalten und wöchentlich einen Quick-Scan durchzuführen. Wenn du es nicht weiter verwenden möchtest, kannst du es jetzt normal über die Systemsteuerung deinstallieren.
  3. Auch den ESET Online Scanner kannst du behalten, um ab und zu (monatlich) für eine Zweitmeinung dein System damit zu scannen. Falls du ESET deinstallieren möchtest, dann kannst du das ebenfalls über die Systemsteuerung tun.
  4. Downloade dir bitte auf jeden Fall DelFix auf deinen Desktop.
    • Schliesse alle offenen Programme.
    • Starte die delfix.exe mit einem Doppelklick.
    • Setze vor jede Funktion ein Häkchen.
    • Klicke auf Start.
    • DelFix entfernt u.a. alle von uns verwendeten Programme und löscht sich anschliessend selbst.
  5. Wenn jetzt noch etwas übriggeblieben ist, dann kannst du es einfach manuell löschen.




>> OK <<
Wir sind durch, deine Logs sehen für mich im Moment sauber aus.

Ich habe dir nachfolgend ein paar Hinweise und Tipps zusammengestellt, die dazu beitragen sollen, dass du in Zukunft unsere Hilfe nicht mehr brauchen wirst.

Bitte gib mir danach noch eine kurze Rückmeldung, wenn auch von deiner Seite keine Probleme oder Fragen mehr offen sind, damit ich dieses Thema als erledigt betrachten kann.




Epilog: Tipps, Dos & Don'ts

Aktualität von System und Software

Das Betriebsystem Windows muss zwingend immer auf dem neusten Stand sein. Stelle sicher, dass die automatischen Updates aktiviert sind:
  • Windows XP: Start --> Systemsteuerung --> Doppelklick auf Automatische Updates
  • Windows Vista / 7: Start --> Systemsteuerung --> System und Sicherheit --> Automatische Updates aktivieren oder deaktivieren

Auch die installierte Software sollte immer in der aktuellsten Version vorliegen.
Speziell gilt das für den Browser, Java, Flash-Player und PDF-Reader, denn bekannte Sicherheitslücken in deren alten Versionen werden dazu ausgenutzt, um beim blossen Besuch einer präparierten Website per Drive-by Download Malware zu installieren. Das kann sogar auf normalerweise legitimen Websites geschehen, wenn es einem Angreifer gelungen ist, seinen Code in die Seite einzuschleusen, und ist deshalb relativ unberechenbar.
  • Mit diesem kleinen Plugin-Check kannst du regelmässig diese Komponenten auf deren Aktualität überprüfen.
  • Achte auch darauf, dass alte, nicht mehr verwendete Versionen deinstalliert sind.
  • Optional: Das Programm Secunia Personal Software Inspector kann dich dabei unterstützen, stets die aktuellen Versionen sämtlicher installierter Software zu nutzen.

Sicherheits-Software

Eine Bemerkung vorneweg: Jede Softwarelösung hat ihre Schwächen. Die gesamte Verantwortung für die Sicherheit auf Software zu übertragen und einen Rundum-Schutz zu erwarten, wäre eine gefährliche Illusion. Bei unbedachtem oder bewusst risikoreichem Verhalten wird auch das beste Programm früher oder später seinen Dienst versagen (z.B. ein Virenscanner, der eine verseuchte Datei nicht erkennt).
Trotzdem ist entsprechende Software natürlich wichtig und hilft dir in Kombination mit einem gut gewarteten (up-to-date) System und durchdachtem Verhalten, deinen Rechner sauber zu halten.
  • Nutze einen Virenscanner mit Hintergrundwächter mit stets aktueller Datenbank. Welches Produkt gewählt wird, spielt keine so entscheidende Rolle. Es gibt kommerzielle Versionen, aber ein kostenloser Scanner mit den Grundfunktionen wie beispielsweise Avast! Free Antivirus sollte ausreichen. Betreibe aber keinesfalls zwei Wächter parallel, die würden sich gegenseitig behindern.
  • Aktiviere eine Firewall. Die in Windows integrierte genügt im Normalfall völlig.
  • Zusätzlich zum Virenscanner kannst du dein System regelmässig mit einem On-Demand Antimalwareprogramm scannen. Empfehlenswert ist die Free-Version von Malwarebytes Anti-Malware. Vor jedem Scan die Datenbank updaten.
  • Optional: Das Programm Sandboxie führt Anwendungen in einer isolierten Umgebung ("Sandkasten") aus, so dass keine Änderungen am System vorgenommen werden können. Wenn du deinen Browser darin startest, vermindert sich die Chance, dass beim Surfen eingefangene Malware sich dauerhaft im System festsetzen kann.
  • Optional: Das Addon WOT (web of trust) warnt dich vor einer als schädlich gemeldeten Website, bevor sie geladen wird. Für verschiedene Browser erhältlich.

Es liegt in der Natur der Sache, dass die am weitesten verbreitete Anwendungs-Software auch am häufigsten von Malware-Autoren attackiert wird. Es kann daher bereits einen kleinen Sicherheitsgewinn darstellen, wenn man alternative Software (z.B. einen alternativen PDF Reader) benutzt.
Anstelle des Internet Explorers kann man beispielsweise den Mozilla Firefox einsetzen, für welchen es zwei nützliche Addons zur Empfehlung gibt:
  • NoScript verhindert standardmässig das Ausführen von aktiven Inhalten (Java, JavaScript, Flash, ..) für sämtliche Websites. Du kannst selber nach dem Prinzip einer Whitelist festlegen, welchen Seiten du vertrauen und Scripts erlauben willst, auch temporär.
  • Adblock Plus blockt die meisten Werbebanner weg. Solche Banner können nebst ihrer störenden Erscheinung auch als Infektionsherde fungieren.

(Un-)Sicheres Verhalten im Internet

Nebst unbemerkten Drive-by Installationen wird Malware aber auch oft mehr oder weniger aktiv vom Benutzer selbst installiert.

Der Besuch zwielichtiger Websites kann bereits Risiken bergen. Und Downloads aus dubiosen Quellen sind immer russisches Roulette. Auch wenn der Virenscanner im Moment darin keine Bedrohung erkennt, muss das nichts bedeuten.
  • Illegale Cracks, Keygens und Serials sind ein ausgesprochen einfacher (und ein beliebter) Weg, um Malware zu verbreiten.
  • Bei Dateien aus Peer-to-Peer- und Filesharingprogrammen oder von Filehostern kannst du dir nie sicher sein, ob auch wirklich drin ist, was drauf steht.

Oft wird auch versucht, den Benutzer mit mehr oder weniger trickreichen Methoden dazu zu bringen, eine für ihn verhängnisvolle Handlung selbst auszuführen (Überbegriff Social Engineering).
  • Surfe mit Vorsicht und lass dich nicht von irgendwie interessant erscheinenden Elementen zu einem vorschnellen Klick verleiten. Lass dich nicht von Popups täuschen, die aussehen wie System- oder Virenmeldungen.
  • Sei skeptisch bei unerwarteten E-Mails, insbesondere wenn sie Anhänge enthalten. Auch wenn sie auf den ersten Blick authentisch wirken, persönliche Daten von dir enthalten oder vermeintlich von einem bekannten Absender stammen: Lieber nochmals in Ruhe überdenken oder nachfragen, anstatt einfach mal Links oder ausführbare Anhänge öffnen oder irgendwo deine Daten eingeben.
  • Auch in sozialen Netzwerken oder über Instant Messaging Systeme können schädliche Links oder Dateien die Runde machen. Erhältst du von einem deiner Freunde eine Nachricht, die merkwürdig ist oder so sensationell interessant oder skandalös tönt, dass man einfach draufklicken muss, dann hat bei ihm/ihr wahrscheinlich Neugier über Verstand gesiegt und du solltest nicht denselben Fehler machen.
  • Lass die Dateiendungen anzeigen, so dass du dich nicht täuschen lässt, wenn eine ausführbare Datei über ein doppelte Dateiendung kaschiert wird, z.B. Nacktfoto.jpg.exe.

Nervige Adware (Werbung) und unnötige Toolbars werden auch meist durch den Benutzer selbst mitinstalliert.
  • Lade Software in erster Priorität immer direkt vom Hersteller herunter. Viele Softwareportale (z.B. Softonic) packen noch unnützes Zeug mit in die Installation. Alternativ dazu wähle ein sauberes Portal wie Filepony oder heise.
  • Wähle beim Installieren von Software immer die benutzerdefinierte Option und entferne den Haken bei allen optional angebotenen Toolbars oder sonstigen fürs Programm irrelevanten Ergänzungen.

Allgemeine Hinweise

Abschliessend noch ein paar grundsätzliche Bemerkungen:
  • Dein Benutzerkonto für den alltäglichen Gebrauch sollte nicht über Administratorenrechte verfügen. Nutze ein Konto mit eingeschränkten Rechten (Windows XP) bzw. aktiviere die Benutzerkontensteuerung (UAC) auf der höchsten Stufe (Windows Vista / 7).
  • Erstelle regelmässig Backups deiner Daten und Dokumente auf externen Datenträgern, bei wichtigen Dateien mindestens zweifach. Nicht nur ein Malwarebefall kann schmerzhaften Datenverlust nach sich ziehen sondern auch ein gewöhnlicher Festplattendefekt.
  • Die Autorun/Autoplay-Funktion stellt ein Risiko dar, denn sie ermöglicht es, dass beispielsweise beim Einstecken eines entsprechend infizierten USB-Sticks der Befall auf den Rechner überspringt. Überlege dir, ob du diese Funktion nicht besser deaktivieren möchtest.
  • Wähle deine Passwörter gemäss den gängigen Regeln, um besser gegen Brute-Force- und Wörterbuchattacken gewappnet zu sein. Benutze jedes deiner Passwörter nur einmal und ändere sie regelmässig.
  • Der Nutzen von Registry-Cleanern zur Performancesteigerung ist umstritten. Auf jeden Fall lässt sich damit grosser Schaden anrichten, wenn man nicht weiss, was man tut. Wir empfehlen deshalb, die Finger von der Registry zu lassen. Um von Zeit zu Zeit die temporären Dateien zu löschen, genügt TFC.

Wenn du möchtest, kannst du das Forum mit einer kleinen Spende unterstützen.
Es bleibt mir nur noch, dir unbeschwertes und sicheres Surfen zu wünschen und dass wir uns hier so bald nicht wiedersehen.
__________________
cheers,
Leo

Antwort

Themen zu Telekom Brief Zeus/Zbot
adobe, becker, bho, black, brief, defender, ebanking, error, firefox, flash player, format, grand theft auto, helper, home, homepage, infizierte, install.exe, logfile, monitor, object, onlinebanking trojaner, plug-in, realtek, rundll, scan, schädling, security, software, teamspeak, trojaner, udp, vista, warnung



Ähnliche Themen: Telekom Brief Zeus/Zbot


  1. Telekom Brief Zeus/Zbot
    Log-Analyse und Auswertung - 26.05.2015 (32)
  2. Telekom E-Mail 'zeuS' 'Zbot'
    Log-Analyse und Auswertung - 01.02.2014 (3)
  3. Telekom e-mail Zeus/ZBot
    Log-Analyse und Auswertung - 26.11.2013 (7)
  4. Telekom Brief - ZeuS/ZBot Infektion
    Log-Analyse und Auswertung - 26.11.2013 (9)
  5. Sicherheitswarnung Telekom ZeuS/ZBot
    Plagegeister aller Art und deren Bekämpfung - 04.10.2013 (9)
  6. Zeus/ZBot Telekom email
    Plagegeister aller Art und deren Bekämpfung - 12.09.2013 (29)
  7. ZeuS/ZBot Warnung von der Telekom
    Log-Analyse und Auswertung - 30.05.2013 (23)
  8. Brief von der Telekom bezüglich des ZeuS/Zbot Schädling....
    Plagegeister aller Art und deren Bekämpfung - 18.04.2013 (9)
  9. Telekom Warnung vor ZeuS/ZBot
    Log-Analyse und Auswertung - 05.03.2013 (15)
  10. Telekom Brief, ZeuS/ZBot
    Plagegeister aller Art und deren Bekämpfung - 22.02.2013 (16)
  11. Telekom-Hinweis auf ZeuS/ZBot
    Log-Analyse und Auswertung - 18.02.2013 (7)
  12. Trojaner ZeuS/ZBot Telekom Brief
    Plagegeister aller Art und deren Bekämpfung - 15.12.2012 (20)
  13. Brief von der Telekom, Trojaner, ZeuS/ZBot
    Plagegeister aller Art und deren Bekämpfung - 02.12.2012 (13)
  14. Post von der Telekom (ZeuS/ZBot)
    Plagegeister aller Art und deren Bekämpfung - 26.11.2012 (4)
  15. Telekom verweist auf ZeuS/ZBot
    Plagegeister aller Art und deren Bekämpfung - 13.11.2012 (11)
  16. Trojanerwarnung Zeus/ZBot von Telekom
    Log-Analyse und Auswertung - 28.10.2012 (5)
  17. Telekom beanstandet ZeuS/ZBot
    Plagegeister aller Art und deren Bekämpfung - 03.10.2012 (7)

Zum Thema Telekom Brief Zeus/Zbot - Hallo Also Ich habe von der Telekom einen Brief bekommen das sich auf einem unserer Rechner ein Onlinebanking Trojaner namens ZeusBot/Zbot befindet. Ich hab sofort einen Virenscan gemacht bei meiner - Telekom Brief Zeus/Zbot...
Archiv
Du betrachtest: Telekom Brief Zeus/Zbot auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.