schaumkelle | 27.12.2012 17:30 | Verfrühtes Weihnachtsgeschenk: TR/Crypt.ZPACK.Gen und EXP/2012-1723.GE Hallo liebes Forum,
habe mir das Wochenende kurz vor Weihnachten einen Trojaner eingefangen. Vorsichtshalber habe ich mal nachgesehen um was es sich da handelt und bin etwas in Panik verfallen. Zum Glück gibt es aber Trojaner-Board, habe gehört ihr macht gute Arbeit.
Details: In meinem Temp-Order unter C:\Dokumente und Einstellungen\one\Lokale Einstellungen\Temp fand Antivir eine Datei mit dem Namen 0.1585816588512725.exe welche vom Programm in die Quarantäne verschoben wurde. Verändert have ich daran nichts.
Beim heutigen Systemscan (über die Feiertage habe ich den Virus mal Virus sein lassen) fand Antivir außerdem etwas das sich EXP/2012-1723.GE nennt. Eine Suche ergibt, dass sich diese Datei in Java einschleicht: Verwundert mich nicht, denn diese Datei befand sich hier bevor sie auch in Quarantäne gesteckt wurde: C:\Dokumente und Einstellungen\one\Lokale Einstellungen\Temp\jar_cache372445240489031649.tmp
Ich kann von keiner Leistungseinbuße bei meinem PC der auf Windows XP schon seit über 10 Jahren läuft sprechen. Nichts ist mir aufgefallen. Es folgen die Logdaten, wie in diesem Thread erklärt: http://www.trojaner-board.de/69886-a...-beachten.html Code:
OTL logfile created on: 27.12.2012 16:51:36 - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Dokumente und Einstellungen\one\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
1023,48 Mb Total Physical Memory | 747,94 Mb Available Physical Memory | 73,08% Memory free
2,90 Gb Paging File | 2,64 Gb Available in Paging File | 90,80% Paging File free
Paging file location(s): C:\pagefile.sys 2048 4096 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 18,63 Gb Total Space | 1,01 Gb Free Space | 5,40% Space Free | Partition Type: FAT32
Drive M: | 74,52 Gb Total Space | 29,15 Gb Free Space | 39,12% Space Free | Partition Type: NTFS
Computer Name: *** | User Name: one | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Dokumente und Einstellungen\one\Desktop\OTL.exe (OldTimer Tools)
PRC - M:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
PRC - M:\Programme\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
PRC - M:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
PRC - M:\Programme\Avira\AntiVir Desktop\avshadow.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Programme\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe (Oracle Corporation)
PRC - C:\Programme\avmwlanstick\WLanGUI.exe (AVM Berlin)
PRC - C:\Programme\avmwlanstick\WLanNetService.exe (AVM Berlin)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
========== Modules (No Company Name) ==========
MOD - M:\Programme\Avira\AntiVir Desktop\sqlite3.dll ()
========== Services (SafeList) ==========
SRV - (HidServ) -- %SystemRoot%\System32\hidserv.dll File not found
SRV - (SkypeUpdate) -- C:\Programme\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (AntiVirSchedulerService) -- M:\Programme\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
SRV - (AntiVirService) -- M:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
SRV - (JavaQuickStarterService) -- C:\Programme\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe (Oracle Corporation)
SRV - (AVM WLAN Connection Service) -- C:\Programme\avmwlanstick\WLanNetService.exe (AVM Berlin)
SRV - (odserv) -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (UPnPService) -- C:\Programme\Gemeinsame Dateien\MAGIX Shared\UPnPService\UPnPService.exe (Magix AG)
SRV - (ose) -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (FirebirdServerMAGIXInstance) -- M:\Common\Database\bin\fbserver.exe (MAGIX®)
========== Driver Services (SafeList) ==========
DRV - (WDICA) -- File not found
DRV - (Scutum50) -- System32\Drivers\Scutum50.sys File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (EAPPkt) -- system32\DRIVERS\EAPPkt.sys File not found
DRV - (Changer) -- File not found
DRV - (AR5523) -- system32\DRIVERS\ar5523.sys File not found
DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (avkmgr) -- C:\WINDOWS\system32\drivers\avkmgr.sys (Avira GmbH)
DRV - (rt2870) -- C:\WINDOWS\system32\drivers\rt2870.sys (Ralink Technology, Corp.)
DRV - (FWLANUSB) -- C:\WINDOWS\system32\drivers\fwlanusb.sys (AVM GmbH)
DRV - (AR9271) -- C:\WINDOWS\system32\drivers\athuw.sys (Atheros Communications, Inc.)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (RTLWUSB) -- C:\WINDOWS\system32\drivers\RTL8187.sys (Realtek Semiconductor Corporation )
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (atirage3) -- C:\WINDOWS\system32\drivers\atimpae.sys (ATI Technologies Inc.)
DRV - (ms_mpu401) -- C:\WINDOWS\system32\drivers\msmpu401.sys (Microsoft Corporation)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://nachtschatten.host56.com/index.php
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ==========
FF - prefs.js..browser.search.selectedEngine: "Wikipedia (en)"
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "hxxp://www.carddex.net/PTC/|hxxp://forum.learnnavi.org/index.php|hxxp://dogpound.zzn.com/|hxxp://www.furaffinity.net/|hxxp://www.equestriadaily.com/"
FF - prefs.js..extensions.enabledAddons: ponify@pterocorn.blogspot.com:0.96
FF - prefs.js..extensions.enabledAddons: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.9.10
FF - prefs.js..extensions.enabledAddons: firefox@ghostery.com:2.8.3
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.6
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8.6
FF - prefs.js..network.proxy.http: "proxy.personalitycores.com"
FF - prefs.js..network.proxy.http_port: 8000
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.4.1: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.4.1: C:\Programme\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Programme\Mozilla Firefox\components [2012.04.19 14:58:46 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins
[2010.08.27 20:49:18 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\one\Anwendungsdaten\Mozilla\Extensions
[2010.08.27 20:49:18 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\one\Anwendungsdaten\Mozilla\Firefox\Profiles\q6nrl8il.default\extensions
[2012.09.16 13:45:56 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Dokumente und Einstellungen\one\Anwendungsdaten\Mozilla\Firefox\Profiles\q6nrl8il.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2012.10.03 02:30:40 | 000,000,000 | ---D | M] (Ghostery) -- C:\Dokumente und Einstellungen\one\Anwendungsdaten\Mozilla\Firefox\Profiles\q6nrl8il.default\extensions\firefox@ghostery.com
[2011.07.27 16:00:04 | 000,025,781 | ---- | M] () (No name found) -- C:\Dokumente und Einstellungen\one\Anwendungsdaten\Mozilla\Firefox\Profiles\q6nrl8il.default\extensions\add-to-searchbox@maltekraus.de.xpi
[2012.03.11 22:36:16 | 000,047,472 | ---- | M] () (No name found) -- C:\Dokumente und Einstellungen\one\Anwendungsdaten\Mozilla\Firefox\Profiles\q6nrl8il.default\extensions\ponify@pterocorn.blogspot.com.xpi
[2012.07.31 17:50:52 | 000,741,958 | ---- | M] () (No name found) -- C:\Dokumente und Einstellungen\one\Anwendungsdaten\Mozilla\Firefox\Profiles\q6nrl8il.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2012.10.25 18:03:52 | 000,291,630 | ---- | M] () (No name found) -- C:\Dokumente und Einstellungen\one\Anwendungsdaten\Mozilla\Firefox\Profiles\q6nrl8il.default\extensions\jid1-QpHD8URtZWJC2A@jetpack.xpi
[2012.07.31 17:46:34 | 000,001,853 | ---- | M] () -- C:\Dokumente und Einstellungen\one\Anwendungsdaten\Mozilla\Firefox\Profiles\q6nrl8il.default\searchplugins\metager2.xml
[2012.07.31 17:46:34 | 000,001,635 | ---- | M] () -- C:\Dokumente und Einstellungen\one\Anwendungsdaten\Mozilla\Firefox\Profiles\q6nrl8il.default\searchplugins\ixquick.xml
[2012.07.21 14:47:22 | 000,001,161 | ---- | M] () -- C:\Dokumente und Einstellungen\one\Anwendungsdaten\Mozilla\Firefox\Profiles\q6nrl8il.default\searchplugins\wikipedia-de.xml
[2012.07.31 19:57:52 | 000,001,151 | ---- | M] () -- C:\Dokumente und Einstellungen\one\Anwendungsdaten\Mozilla\Firefox\Profiles\q6nrl8il.default\searchplugins\wikipedia-en.xml
[2011.07.28 00:14:06 | 000,000,927 | ---- | M] () -- C:\Dokumente und Einstellungen\one\Anwendungsdaten\Mozilla\Firefox\Profiles\q6nrl8il.default\searchplugins\urban-dictionary.xml
[2011.07.29 23:43:28 | 000,001,030 | ---- | M] () -- C:\Dokumente und Einstellungen\one\Anwendungsdaten\Mozilla\Firefox\Profiles\q6nrl8il.default\searchplugins\youtube---broadcast-yourself.xml
[2012.07.31 15:11:10 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions
[2012.07.14 02:15:46 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Programme\mozilla firefox\components\browsercomps.dll
[2012.07.14 02:45:08 | 000,001,392 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.07.14 02:45:08 | 000,002,252 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\bing.xml
[2012.07.14 02:45:08 | 000,001,153 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\eBay-de.xml
[2012.07.14 02:45:08 | 000,006,805 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.07.14 02:45:08 | 000,001,178 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.07.14 02:45:08 | 000,001,105 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\yahoo-de.xml
O1 HOSTS File: ([2001.08.18 12:00:00 | 000,000,820 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
O4 - HKLM..\Run: [APSDaemon] C:\Programme\Gemeinsame Dateien\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avgnt] M:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [AVMWlanClient] C:\Programme\avmwlanstick\WLanGUI.exe (AVM Berlin)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.19.63
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F0EE87DA-6073-45E1-AFF2-7B14D77FC8F4}: DhcpNameServer = 192.168.19.63
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Gemeinsame Dateien\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O24 - Desktop WallPaper: C:\Dokumente und Einstellungen\one\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Dokumente und Einstellungen\one\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010.07.30 19:25:12 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O33 - MountPoints2\{acd7d97a-90eb-11e0-a1d0-00e0601a0bb6}\Shell - "" = AutoRun
O33 - MountPoints2\{acd7d97a-90eb-11e0-a1d0-00e0601a0bb6}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{acd7d97a-90eb-11e0-a1d0-00e0601a0bb6}\Shell\AutoRun\command - "" = IomegaEncryptionSetup v1.3.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
========== Files/Folders - Created Within 30 Days ==========
[2012.12.27 15:41:08 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Dokumente und Einstellungen\one\Desktop\OTL.exe
[2012.12.22 04:30:25 | 000,000,000 | RH-D | C] -- C:\Dokumente und Einstellungen\one\Recent
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2012.12.27 16:28:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012.12.27 16:06:16 | 000,302,592 | ---- | M] () -- C:\Dokumente und Einstellungen\one\Desktop\24y39r88.exe
[2012.12.27 16:04:58 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012.12.27 15:41:10 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\one\Desktop\OTL.exe
[2012.12.27 15:39:22 | 000,000,000 | ---- | M] () -- C:\Dokumente und Einstellungen\one\defogger_reenable
[2012.12.27 15:39:00 | 000,050,477 | ---- | M] () -- C:\Dokumente und Einstellungen\one\Desktop\Defogger.exe
[2012.12.22 11:53:44 | 000,002,243 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Skype.lnk
[2012.12.11 13:09:12 | 000,034,807 | ---- | M] () -- C:\Dokumente und Einstellungen\one\Desktop\qwerasdf.png
[2012.12.11 13:09:12 | 000,009,588 | ---- | M] () -- C:\Dokumente und Einstellungen\one\.recently-used.xbel
[2012.11.29 17:52:36 | 000,042,496 | ---- | M] () -- C:\Dokumente und Einstellungen\one\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files Created - No Company Name ==========
[2012.12.27 16:06:15 | 000,302,592 | ---- | C] () -- C:\Dokumente und Einstellungen\one\Desktop\24y39r88.exe
[2012.12.27 15:39:21 | 000,000,000 | ---- | C] () -- C:\Dokumente und Einstellungen\one\defogger_reenable
[2012.12.27 15:38:56 | 000,050,477 | ---- | C] () -- C:\Dokumente und Einstellungen\one\Desktop\Defogger.exe
[2012.12.11 13:09:11 | 000,034,807 | ---- | C] () -- C:\Dokumente und Einstellungen\one\Desktop\qwerasdf.png
[2012.12.11 13:09:11 | 000,009,588 | ---- | C] () -- C:\Dokumente und Einstellungen\one\.recently-used.xbel
[2012.07.31 15:13:08 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012.07.31 14:26:26 | 000,097,360 | ---- | C] () -- C:\WINDOWS\System32\drivers\Fwusb1b.bin
[2012.05.01 01:47:11 | 000,350,754 | ---- | C] () -- C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\WPFFontCache_v0400-S-1-5-21-1292428093-879983540-839522115-1003-0.dat
[2012.04.20 15:11:27 | 000,451,072 | ---- | C] () -- C:\WINDOWS\System32\ISSRemoveSP.exe
[2012.04.18 01:25:14 | 000,350,754 | ---- | C] () -- C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\WPFFontCache_v0400-System.dat
[2011.07.27 16:34:33 | 000,042,496 | ---- | C] () -- C:\Dokumente und Einstellungen\one\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011.05.07 18:06:44 | 000,000,463 | ---- | C] () -- C:\WINDOWS\musiceditor.INI
[2011.05.07 17:56:19 | 000,000,634 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011.04.29 19:24:28 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\AV32UID.DAT
[2011.04.28 21:12:08 | 000,006,642 | ---- | C] () -- C:\WINDOWS\mgxoschk.ini
[2011.04.28 20:26:15 | 000,000,092 | ---- | C] () -- C:\WINDOWS\CMISETUP.INI
[2011.04.28 20:26:15 | 000,000,026 | ---- | C] () -- C:\WINDOWS\CMCDPLAY.INI
[2011.04.28 20:26:13 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\cmirmdrv.dll
[2011.04.28 20:26:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Wininit.ini
[2011.04.28 20:26:12 | 000,266,240 | ---- | C] () -- C:\WINDOWS\CMIUninstall.exe
[2011.04.28 20:26:12 | 000,233,472 | ---- | C] () -- C:\WINDOWS\System32\cmirmdrv.exe
[2011.04.28 20:26:12 | 000,225,280 | ---- | C] () -- C:\WINDOWS\CmiRmRedundDir.exe
[2011.04.28 20:26:12 | 000,134,699 | ---- | C] () -- C:\WINDOWS\Cmuda.ini
[2011.04.28 20:26:11 | 000,028,672 | ---- | C] () -- C:\WINDOWS\CMIRmDriver.dll
========== ZeroAccess Check ==========
[2012.04.02 18:15:04 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008.04.14 04:22:26 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009.02.09 12:51:44 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008.04.14 04:22:32 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
========== LOP Check ==========
[2011.04.28 21:16:52 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\MAGIX
[2011.05.04 20:22:44 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FREEDB
[2012.04.18 00:17:52 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Freemake
[2011.04.28 21:19:04 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\one\Anwendungsdaten\MAGIX
[2011.07.28 22:49:54 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\one\Anwendungsdaten\gtk-2.0
[2012.01.13 23:10:32 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\one\Anwendungsdaten\TIPP10
[2012.04.23 22:49:08 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\one\Anwendungsdaten\GlarySoft
[2012.05.31 15:32:56 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\one\Anwendungsdaten\Oracle
[2012.06.12 23:48:24 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\one\Anwendungsdaten\ImgBurn
[2012.07.02 20:32:30 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\one\Anwendungsdaten\Audacity
[2012.09.09 22:53:44 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\one\Anwendungsdaten\Opera
========== Purity Check ==========
< End of report > Code:
OTL Extras logfile created on: 27.12.2012 15:43:18 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Dokumente und Einstellungen\one\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
1023,48 Mb Total Physical Memory | 738,22 Mb Available Physical Memory | 72,13% Memory free
2,90 Gb Paging File | 2,62 Gb Available in Paging File | 90,07% Paging File free
Paging file location(s): C:\pagefile.sys 2048 4096 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 18,63 Gb Total Space | 1,03 Gb Free Space | 5,53% Space Free | Partition Type: FAT32
Drive M: | 74,52 Gb Total Space | 29,15 Gb Free Space | 39,12% Space Free | Partition Type: NTFS
Computer Name: *** | User Name: one | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = Opera.HTML] -- M:\Programme\Opera\Opera.exe (Opera Software)
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = Opera.HTML] -- M:\Programme\Opera\Opera.exe (Opera Software)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "M:\Programme\Opera\Opera.exe" "%1" (Opera Software)
https [open] -- "M:\Programme\Opera\Opera.exe" "%1" (Opera Software)
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Programme\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Programme\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
========== System Restore Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"1542:TCP" = 1542:TCP:*:Enabled:Realtek WPS TCP Prot
"1542:UDP" = 1542:UDP:*:Enabled:Realtek WPS UDP Prot
"53:UDP" = 53:UDP:*:Enabled:Realtek AP UDP Prot
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Programme\Windows Live\Messenger\wlcsdk.exe" = C:\Programme\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Programme\Windows Live\Messenger\msnmsgr.exe" = C:\Programme\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Programme\Gemeinsame Dateien\MAGIX Shared\UPnPService\UPnPService.exe" = C:\Programme\Gemeinsame Dateien\MAGIX Shared\UPnPService\UPnPService.exe:LocalSubNet:Enabled:Magix UPnP Service -- (Magix AG)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Programme\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Programme\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"M:\MP3MAKER\MP3Maker.exe" = M:\MP3MAKER\MP3Maker.exe:*:Enabled:MP3Maker.exe -- (MAGIX)
"C:\Programme\REALTEK\RTL8187B Wireless LAN Utility\RtWLan.exe" = C:\Programme\REALTEK\RTL8187B Wireless LAN Utility\RtWLan.exe:*:Enabled:RtWlan
"C:\Programme\Gemeinsame Dateien\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Programme\Gemeinsame Dateien\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"C:\Programme\Mozilla Firefox\plugin-container.exe" = C:\Programme\Mozilla Firefox\plugin-container.exe:*:Enabled:Plugin Container for Firefox -- (Mozilla Corporation)
"M:\Programme\Yahoo!\Messenger\YahooMessenger.exe" = M:\Programme\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
"C:\Programme\Windows Live\Messenger\wlcsdk.exe" = C:\Programme\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Programme\Windows Live\Messenger\msnmsgr.exe" = C:\Programme\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
"M:\Programme\Opera\opera.exe" = M:\Programme\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)
"C:\Programme\Skype\Phone\Skype.exe" = C:\Programme\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0E64B098-8018-4256-BA23-C316A43AD9B0}" = QuickTime
"{1111706F-666A-4037-7777-210328764D10}" = JavaFX 2.1.0
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83217004FF}" = Java(TM) 7 Update 4
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{52B97218-98CB-4B8B-9283-D213C85E1AA4}" = Windows Live Anmelde-Assistent
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{72DF62BD-FF36-424E-AA5F-D89BAFF2C249}" = RollerCoaster Tycoon 2
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8398B542-3CC4-44D9-83DF-696CCE70124B}" = Windows Support Tools
"{90120000-0010-0407-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (German) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007
"{90120000-0015-0407-0000-0000000FF1CE}_PROPLUS_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_PROPLUS_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_PROPLUS_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2007
"{90120000-0019-0407-0000-0000000FF1CE}_PROPLUS_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007
"{90120000-001A-0407-0000-0000000FF1CE}_PROPLUS_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_PROPLUS_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_PROPLUS_{A0516415-ED61-419A-981D-93596DA74165}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_PROPLUS_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-0044-0407-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2007
"{90120000-0044-0407-0000-0000000FF1CE}_PROPLUS_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_PROPLUS_{26454C26-D259-4543-AA60-3189E09C5F76}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{AED2DD42-9853-407E-A6BC-8A1D6B715909}" = Windows Live Messenger
"{BA1E1AFD-D1F2-4C52-88C3-186FC5E61604}" = RollerCoaster Tycoon 2: Time Twister
"{C7340571-7773-4A8C-9EBC-4E4243B38C76}" = Microsoft XML Parser
"{CAFA57E8-8927-4912-AFCF-B0AA3837E989}" = Windows Live Essentials
"{D2041A37-5FEC-49F0-AE5C-3F2FFDFAA4F4}" = Windows Live Call
"{D4B8AFAB-FB39-11D7-9D43-000A735D259C}" = Rollercoaster Tycoon 2 UCES
"{EA17F4FC-FDBF-4CF8-A529-2D983132D053}" = Skype™ 6.0
"{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"7-Zip" = 7-Zip 9.20
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Avira AntiVir Desktop" = Avira Free Antivirus
"AVMWLANCLI" = AVM FRITZ!WLAN
"CCleaner" = CCleaner
"CDex" = CDex - Open Source Digital Audio CD Extractor
"C-Media Audio" = C-Media 3D Audio
"Firebird SQL Server D" = Firebird SQL Server - MAGIX Edition 2.0.0.1 (D)
"Freemake Audio Converter_is1" = Freemake Audio Converter Version 1.1.0
"ImgBurn" = ImgBurn
"IrfanView" = IrfanView (remove only)
"jEdit_is1" = jEdit 4.5.1
"LilyPond" = LilyPond
"MAGIX Foto Manager 2006 D" = MAGIX Foto Manager 2006 (D)
"MAGIX MP3 Maker 11 D" = MAGIX MP3 Maker 11 (D)
"MAGIX Online Druck Service D" = MAGIX Online Druck Service (D)
"MAGIX Podcast Maker D" = MAGIX Podcast Maker (D)
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Mozilla Firefox 14.0.1 (x86 de)" = Mozilla Firefox 14.0.1 (x86 de)
"Opera 12.02.1578" = Opera 12.02
"PROPLUS" = Microsoft Office Professional Plus 2007
"Registry Repair" = Registry Repair 4.1.0.388
"STDU Viewer_is1" = STDU Viewer version 1.6.2.0
"TeamSpeak 3 Client" = TeamSpeak 3 Client
"TIPP10_is1" = TIPP10 Version 2.1.0
"VLC media player" = VLC media player 1.1.9
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinGimp-2.0_is1" = GIMP 2.6.11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR 4.11 (32-Bit)
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 27.12.2012 09:53:19 | Computer Name = *** | Source = VSS | ID = 12289
Description = Volumeschattenkopie-Dienstfehler: Unerwarteter Fehler "CreateFileW(\\?\Volume{bef5361e-9c0b-11df-9cfa-806d6172696f},0xc0000000,0x00000003,...)".
hr = 0x80070005.
Error - 27.12.2012 09:53:43 | Computer Name = *** | Source = VSS | ID = 5013
Description = Volumeschattenkopie-Dienstfehler: Von Schattenkopieautor "RemovableStorageManager"
aufgerufene Routine "OpenNtmsSessionW" ist mit Status "0x80070015" (konvertiert
in 0x800423f3) fehlgeschlagen.
Error - 27.12.2012 09:55:07 | Computer Name = *** | Source = VSS | ID = 12289
Description = Volumeschattenkopie-Dienstfehler: Unerwarteter Fehler "CreateFileW(\\?\Volume{bef5361e-9c0b-11df-9cfa-806d6172696f},0xc0000000,0x00000003,...)".
hr = 0x80070005.
Error - 27.12.2012 09:55:30 | Computer Name = *** | Source = VSS | ID = 5013
Description = Volumeschattenkopie-Dienstfehler: Von Schattenkopieautor "RemovableStorageManager"
aufgerufene Routine "OpenNtmsSessionW" ist mit Status "0x80070015" (konvertiert
in 0x800423f3) fehlgeschlagen.
Error - 27.12.2012 09:57:16 | Computer Name = *** | Source = VSS | ID = 12289
Description = Volumeschattenkopie-Dienstfehler: Unerwarteter Fehler "CreateFileW(\\?\Volume{bef5361e-9c0b-11df-9cfa-806d6172696f},0xc0000000,0x00000003,...)".
hr = 0x80070005.
Error - 27.12.2012 09:57:39 | Computer Name = *** | Source = VSS | ID = 5013
Description = Volumeschattenkopie-Dienstfehler: Von Schattenkopieautor "RemovableStorageManager"
aufgerufene Routine "OpenNtmsSessionW" ist mit Status "0x80070015" (konvertiert
in 0x800423f3) fehlgeschlagen.
Error - 27.12.2012 09:57:50 | Computer Name = *** | Source = VSS | ID = 12289
Description = Volumeschattenkopie-Dienstfehler: Unerwarteter Fehler "CreateFileW(\\?\Volume{bef5361e-9c0b-11df-9cfa-806d6172696f},0xc0000000,0x00000003,...)".
hr = 0x80070005.
Error - 27.12.2012 09:58:12 | Computer Name = *** | Source = VSS | ID = 5013
Description = Volumeschattenkopie-Dienstfehler: Von Schattenkopieautor "RemovableStorageManager"
aufgerufene Routine "OpenNtmsSessionW" ist mit Status "0x80070015" (konvertiert
in 0x800423f3) fehlgeschlagen.
Error - 27.12.2012 10:03:53 | Computer Name = *** | Source = VSS | ID = 12289
Description = Volumeschattenkopie-Dienstfehler: Unerwarteter Fehler "CreateFileW(\\?\Volume{bef5361e-9c0b-11df-9cfa-806d6172696f},0xc0000000,0x00000003,...)".
hr = 0x80070005.
Error - 27.12.2012 10:04:17 | Computer Name = *** | Source = VSS | ID = 5013
Description = Volumeschattenkopie-Dienstfehler: Von Schattenkopieautor "RemovableStorageManager"
aufgerufene Routine "OpenNtmsSessionW" ist mit Status "0x80070015" (konvertiert
in 0x800423f3) fehlgeschlagen.
[ System Events ]
Error - 21.12.2012 16:50:53 | Computer Name = *** | Source = Service Control Manager | ID = 7000
Description = Der Dienst "Realtek EAPPkt Protocol" wurde aufgrund folgenden Fehlers
nicht gestartet: %%2
Error - 22.12.2012 06:51:18 | Computer Name = *** | Source = Service Control Manager | ID = 7000
Description = Der Dienst "Scutum50 NDIS Protocol Driver" wurde aufgrund folgenden
Fehlers nicht gestartet: %%2
Error - 22.12.2012 06:51:18 | Computer Name = *** | Source = Service Control Manager | ID = 7000
Description = Der Dienst "Realtek EAPPkt Protocol" wurde aufgrund folgenden Fehlers
nicht gestartet: %%2
Error - 27.12.2012 09:45:11 | Computer Name = *** | Source = Service Control Manager | ID = 7000
Description = Der Dienst "Scutum50 NDIS Protocol Driver" wurde aufgrund folgenden
Fehlers nicht gestartet: %%2
Error - 27.12.2012 09:45:11 | Computer Name = *** | Source = Service Control Manager | ID = 7000
Description = Der Dienst "Realtek EAPPkt Protocol" wurde aufgrund folgenden Fehlers
nicht gestartet: %%2
Error - 27.12.2012 09:54:25 | Computer Name = *** | Source = Wechselmediendienst | ID = 262159
Description = Der Wechselmediendienst kann die Bibliothek CdRom0 nicht verwalten.
Die Datenbank ist beschädigt.
Error - 27.12.2012 09:56:12 | Computer Name = *** | Source = Wechselmediendienst | ID = 262159
Description = Der Wechselmediendienst kann die Bibliothek CdRom0 nicht verwalten.
Die Datenbank ist beschädigt.
Error - 27.12.2012 09:58:21 | Computer Name = *** | Source = Wechselmediendienst | ID = 262159
Description = Der Wechselmediendienst kann die Bibliothek CdRom0 nicht verwalten.
Die Datenbank ist beschädigt.
Error - 27.12.2012 10:05:00 | Computer Name = *** | Source = Wechselmediendienst | ID = 262159
Description = Der Wechselmediendienst kann die Bibliothek CdRom0 nicht verwalten.
Die Datenbank ist beschädigt.
Error - 27.12.2012 10:38:48 | Computer Name = *** | Source = Server | ID = 2505
Description = Aufgrund eines doppelten Netzwerknamens konnte zu der Transportschicht
\Device\NetBT_Tcpip_{F0EE87DA-6073-45E1-AFF2-7B14D77FC8F4} vom Serverdienst nicht
gebunden werden. Der Serverdienst konnte nicht gestartet werden.
< End of report > Code:
GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-12-27 17:06:11
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 WDC_WD200EB-11CPF0 rev.06.04G06
Running: 24y39r88.exe; Driver: C:\DOKUME~1\one\LOKALE~1\Temp\uxlyapow.sys
---- System - GMER 1.0.15 ----
SSDT F7F68664 ZwClose
SSDT F7F6861E ZwCreateKey
SSDT F7F6866E ZwCreateSection
SSDT F7F68614 ZwCreateThread
SSDT F7F68623 ZwDeleteKey
SSDT F7F6862D ZwDeleteValueKey
SSDT F7F6865F ZwDuplicateObject
SSDT F7F68632 ZwLoadKey
SSDT F7F68600 ZwOpenProcess
SSDT F7F68605 ZwOpenThread
SSDT F7F68687 ZwQueryValueKey
SSDT F7F6863C ZwReplaceKey
SSDT F7F68678 ZwRequestWaitReplyPort
SSDT F7F68637 ZwRestoreKey
SSDT F7F68673 ZwSetContextThread
SSDT F7F6867D ZwSetSecurityObject
SSDT F7F68628 ZwSetValueKey
SSDT F7F68682 ZwSystemDebugControl
SSDT F7F6860F ZwTerminateProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!_abnormal_termination + 3A1 804E2A0D 3 Bytes [86, F6, F7]
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ---- |