-SeaSharp- | 19.02.2013 17:26 | Hey, vielen Dank für die schnelle Rückmeldung!
Habe alle Schritte befolgt, es sind keine Probleme aufgetreten.
Hier das Log von Gmer:
GMER Logfile: Code:
GMER 2.1.18952 - hxxp://www.gmer.net
Rootkit scan 2013-02-19 17:10:10
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JP4O 931,51GB
Running: s8e0eoez.exe; Driver: C:\Users\Butz\AppData\Local\Temp\pwldqpow.sys
---- Kernel code sections - GMER 2.1 ----
.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 834459E9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8347F1C2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x94A20000, 0x2FBAB4, 0xE8000020]
---- User code sections - GMER 2.1 ----
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtClose 772B54C8 5 Bytes JMP 64B1FFC0 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtCreateFile 772B55C8 5 Bytes JMP 64B1EC96 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtCreateKey 772B5608 5 Bytes JMP 64B1B6DC C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtDeleteFile 772B5808 5 Bytes JMP 64B1EAB3 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtDeleteKey 772B5818 5 Bytes JMP 64B1AF5D C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtDeleteValueKey 772B5848 5 Bytes JMP 64B1B220 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtDuplicateObject 772B5898 5 Bytes JMP 64B20096 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtEnumerateKey 772B58E8 5 Bytes JMP 64B1B001 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtEnumerateValueKey 772B5918 5 Bytes JMP 64B1B17A C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtFlushKey 772B5988 5 Bytes JMP 64B1AFAF C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtNotifyChangeKey 772B5C68 5 Bytes JMP 64B1B2CE C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtNotifyChangeMultipleKeys 772B5C78 5 Bytes JMP 64B1B35C C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtOpenFile 772B5CD8 5 Bytes JMP 64B1EE21 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtOpenKey 772B5D08 5 Bytes JMP 64B1B5ED C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtOpenKeyEx 772B5D18 5 Bytes JMP 64B1B660 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtQueryAttributesFile 772B5F38 5 Bytes JMP 64B1EB1E C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtQueryDirectoryFile 772B5F98 5 Bytes JMP 64B1D81E C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtQueryFullAttributesFile 772B5FE8 5 Bytes JMP 64B1EB8E C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtQueryKey 772B60E8 5 Bytes JMP 64B1B054 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtQueryMultipleValueKey 772B6108 5 Bytes JMP 64B1B27B C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtQueryObject 772B6128 5 Bytes JMP 64B200EC C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtQuerySecurityObject 772B61A8 5 Bytes JMP 64B20030 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtQueryValueKey 772B6248 5 Bytes JMP 64B1B127 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtRenameKey 772B63C8 5 Bytes JMP 64B1B751 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtSetInformationFile 772B6638 5 Bytes JMP 64B1EBFE C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtSetInformationKey 772B6658 5 Bytes JMP 64B1B0BA C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtSetSecurityObject 772B6758 5 Bytes JMP 64B20149 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ntdll.dll!NtSetValueKey 772B6808 5 Bytes JMP 64B1B1CD C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] kernel32.dll!CreateProcessW 7698204D 5 Bytes JMP 64AF8C27 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] kernel32.dll!CreateProcessA 76982082 5 Bytes JMP 64AF8D65 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] kernel32.dll!CreateProcessAsUserW 769B59FF 5 Bytes JMP 64AF8F9B C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] kernel32.dll!SetDllDirectoryW 76A0D783 5 Bytes JMP 64AF977C C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] kernel32.dll!SetDllDirectoryA 76A0D82C 5 Bytes JMP 64AF9AAF C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] kernel32.dll!WinExec 76A0EDAE 5 Bytes JMP 64AF931E C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] kernel32.dll!AllocConsole 76A2C675 5 Bytes JMP 64B21210 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] kernel32.dll!AttachConsole 76A2C743 5 Bytes JMP 64B21222 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] USER32.dll!CreateWindowExA 7681BF40 5 Bytes JMP 64B211E0 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] USER32.dll!CreateWindowExW 7681EC7C 5 Bytes JMP 64B211F8 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] GDI32.dll!AddFontResourceW 763CEC13 5 Bytes JMP 64B06800 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] GDI32.dll!AddFontResourceA 763CEFA7 5 Bytes JMP 64B067E4 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ADVAPI32.dll!EnumDependentServicesW 76771E3A 7 Bytes JMP 64B0956C C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ADVAPI32.dll!EnumServicesStatusExW 7677B466 7 Bytes JMP 64B0A48D C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ADVAPI32.dll!GetServiceKeyNameW 767978FF 7 Bytes JMP 64B09C13 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ADVAPI32.dll!GetServiceDisplayNameW 767979BB 7 Bytes JMP 64B09DC4 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ADVAPI32.dll!EnumServicesStatusExA 7679A3E2 7 Bytes JMP 64B0A553 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ADVAPI32.dll!CreateProcessAsUserA 767B2538 5 Bytes JMP 64AF90DD C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ADVAPI32.dll!GetServiceKeyNameA 767D1B94 7 Bytes JMP 64B09CCB C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ADVAPI32.dll!GetServiceDisplayNameA 767D1C31 7 Bytes JMP 64B09E7C C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ADVAPI32.dll!EnumServicesStatusA 767D2021 7 Bytes JMP 64B0A3CF C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ADVAPI32.dll!EnumDependentServicesA 767D2104 7 Bytes JMP 64B09623 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ADVAPI32.dll!EnumServicesStatusW 767D2221 5 Bytes JMP 64B0A311 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ole32.dll!CoRegisterPSClsid 7711C56E 5 Bytes JMP 64B0FFF5 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ole32.dll!CoResumeClassObjects + 7 7711EA09 7 Bytes JMP 64B105C6 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ole32.dll!OleRun 771207DE 5 Bytes JMP 64B10481 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ole32.dll!CoRegisterClassObject 771221E1 5 Bytes JMP 64B110F6 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ole32.dll!OleUninitialize 7712EBA1 6 Bytes JMP 64B103A0 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ole32.dll!OleInitialize 7712EFD7 5 Bytes JMP 64B10330 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ole32.dll!CoGetPSClsid 771326B9 5 Bytes JMP 64B1016D C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ole32.dll!CoGetClassObject 771454AD 5 Bytes JMP 64B11684 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ole32.dll!CoInitializeEx 771509AD 5 Bytes JMP 64B101E0 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ole32.dll!CoUninitialize 771586D3 5 Bytes JMP 64B10262 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ole32.dll!CoCreateInstance 77159D0B 5 Bytes JMP 64B12952 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ole32.dll!CoCreateInstanceEx 77159D4E 5 Bytes JMP 64B10A8D C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ole32.dll!CoSuspendClassObjects + 7 7717BB09 7 Bytes JMP 64B104F1 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ole32.dll!CoRevokeClassObject 7719EACF 5 Bytes JMP 64B0FA52 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ole32.dll!CoGetInstanceFromFile 771D340B 5 Bytes JMP 64B11B44 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\OffSpon.EXE[1016] ole32.dll!OleRegEnumFormatEtc 7721CFD9 5 Bytes JMP 64B1040B C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtClose 772B54C8 5 Bytes JMP 64B1FFC0 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtCreateFile 772B55C8 5 Bytes JMP 64B1EC96 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtCreateKey 772B5608 5 Bytes JMP 64B1B6DC C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtDeleteFile 772B5808 5 Bytes JMP 64B1EAB3 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtDeleteKey 772B5818 5 Bytes JMP 64B1AF5D C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtDeleteValueKey 772B5848 5 Bytes JMP 64B1B220 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtDuplicateObject 772B5898 5 Bytes JMP 64B20096 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtEnumerateKey 772B58E8 5 Bytes JMP 64B1B001 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtEnumerateValueKey 772B5918 5 Bytes JMP 64B1B17A C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtFlushKey 772B5988 5 Bytes JMP 64B1AFAF C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtNotifyChangeKey 772B5C68 5 Bytes JMP 64B1B2CE C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtNotifyChangeMultipleKeys 772B5C78 5 Bytes JMP 64B1B35C C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtOpenFile 772B5CD8 5 Bytes JMP 64B1EE21 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtOpenKey 772B5D08 5 Bytes JMP 64B1B5ED C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtOpenKeyEx 772B5D18 5 Bytes JMP 64B1B660 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtQueryAttributesFile 772B5F38 5 Bytes JMP 64B1EB1E C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtQueryDirectoryFile 772B5F98 5 Bytes JMP 64B1D81E C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtQueryFullAttributesFile 772B5FE8 5 Bytes JMP 64B1EB8E C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtQueryKey 772B60E8 5 Bytes JMP 64B1B054 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtQueryMultipleValueKey 772B6108 5 Bytes JMP 64B1B27B C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtQueryObject 772B6128 5 Bytes JMP 64B200EC C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtQuerySecurityObject 772B61A8 5 Bytes JMP 64B20030 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtQueryValueKey 772B6248 5 Bytes JMP 64B1B127 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtRenameKey 772B63C8 5 Bytes JMP 64B1B751 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtSetInformationFile 772B6638 5 Bytes JMP 64B1EBFE C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtSetInformationKey 772B6658 5 Bytes JMP 64B1B0BA C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtSetSecurityObject 772B6758 5 Bytes JMP 64B20149 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ntdll.dll!NtSetValueKey 772B6808 5 Bytes JMP 64B1B1CD C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] kernel32.dll!CreateProcessW 7698204D 5 Bytes JMP 64AF8C27 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] kernel32.dll!CreateProcessA 76982082 5 Bytes JMP 64AF8D65 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] kernel32.dll!CreateProcessAsUserW 769B59FF 5 Bytes JMP 64AF8F9B C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] kernel32.dll!SetUnhandledExceptionFilter 769CF4FB 5 Bytes JMP 616C856D Q:\140066.deu\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\MSO.DLL
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] kernel32.dll!SetDllDirectoryW 76A0D783 5 Bytes JMP 64AF977C C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] kernel32.dll!SetDllDirectoryA 76A0D82C 5 Bytes JMP 64AF9AAF C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] kernel32.dll!WinExec 76A0EDAE 5 Bytes JMP 64AF931E C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] kernel32.dll!AllocConsole 76A2C675 5 Bytes JMP 64B21210 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] kernel32.dll!AttachConsole 76A2C743 5 Bytes JMP 64B21222 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] USER32.dll!CreateWindowExA 7681BF40 5 Bytes JMP 64B211E0 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] USER32.dll!CreateWindowExW 7681EC7C 5 Bytes JMP 64B211F8 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] GDI32.dll!AddFontResourceW 763CEC13 5 Bytes JMP 64B06800 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] GDI32.dll!AddFontResourceA 763CEFA7 5 Bytes JMP 64B067E4 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ADVAPI32.dll!EnumDependentServicesW 76771E3A 7 Bytes JMP 64B0956C C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ADVAPI32.dll!EnumServicesStatusExW 7677B466 7 Bytes JMP 64B0A48D C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ADVAPI32.dll!GetServiceKeyNameW 767978FF 7 Bytes JMP 64B09C13 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ADVAPI32.dll!GetServiceDisplayNameW 767979BB 7 Bytes JMP 64B09DC4 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ADVAPI32.dll!EnumServicesStatusExA 7679A3E2 7 Bytes JMP 64B0A553 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ADVAPI32.dll!CreateProcessAsUserA 767B2538 5 Bytes JMP 64AF90DD C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ADVAPI32.dll!GetServiceKeyNameA 767D1B94 7 Bytes JMP 64B09CCB C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ADVAPI32.dll!GetServiceDisplayNameA 767D1C31 7 Bytes JMP 64B09E7C C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ADVAPI32.dll!EnumServicesStatusA 767D2021 7 Bytes JMP 64B0A3CF C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ADVAPI32.dll!EnumDependentServicesA 767D2104 7 Bytes JMP 64B09623 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ADVAPI32.dll!EnumServicesStatusW 767D2221 5 Bytes JMP 64B0A311 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ole32.dll!OleLoadFromStream 77116143 5 Bytes JMP 61BFFA9A Q:\140066.deu\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\MSO.DLL
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ole32.dll!CoRegisterPSClsid 7711C56E 5 Bytes JMP 64B0FFF5 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ole32.dll!CoResumeClassObjects + 7 7711EA09 7 Bytes JMP 64B105C6 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ole32.dll!OleRun 771207DE 5 Bytes JMP 64B10481 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ole32.dll!CoRegisterClassObject 771221E1 5 Bytes JMP 64B110F6 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ole32.dll!OleUninitialize 7712EBA1 6 Bytes JMP 64B103A0 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ole32.dll!OleInitialize 7712EFD7 5 Bytes JMP 64B10330 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ole32.dll!CoGetPSClsid 771326B9 5 Bytes JMP 64B1016D C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ole32.dll!CoGetClassObject 771454AD 5 Bytes JMP 64B11684 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ole32.dll!CoInitializeEx 771509AD 5 Bytes JMP 64B101E0 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ole32.dll!CoUninitialize 771586D3 5 Bytes JMP 64B10262 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ole32.dll!CoCreateInstance 77159D0B 5 Bytes JMP 64B12952 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ole32.dll!CoCreateInstanceEx 77159D4E 5 Bytes JMP 64B10A8D C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ole32.dll!CoSuspendClassObjects + 7 7717BB09 7 Bytes JMP 64B104F1 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ole32.dll!CoRevokeClassObject 7719EACF 5 Bytes JMP 64B0FA52 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ole32.dll!CoGetInstanceFromFile 771D340B 5 Bytes JMP 64B11B44 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140066.deu\Office14\WINWORDC.EXE[3348] ole32.dll!OleRegEnumFormatEtc 7721CFD9 5 Bytes JMP 64B1040B C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
---- Devices - GMER 2.1 ----
Device \Driver\ACPI_HAL \Device\00000048 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
---- Processes - GMER 2.1 ----
Library Q:\140066.deu\Office14\OffSpon.EXE (*** hidden *** ) @ Q:\140066.deu\Office14\OffSpon.EXE [1016] 0x2D9A0000
Library Q:\140066.deu\Office14\msadctls.dll (*** hidden *** ) @ Q:\140066.deu\Office14\OffSpon.EXE [1016] 0x59FC0000
Library Q:\140066.deu\Office14\WINWORDC.EXE (*** hidden *** ) @ Q:\140066.deu\Office14\WINWORDC.EXE [3348] 0x2F4C0000
Library Q:\140066.deu\Office14\wwlibc.dll (*** hidden *** ) @ Q:\140066.deu\Office14\WINWORDC.EXE [3348] 0x63460000
Library Q:\140066.deu\Office14\gfx.dll (*** hidden *** ) @ Q:\140066.deu\Office14\WINWORDC.EXE [3348] 0x632B0000
Library Q:\140066.deu\Office14\oart.dll (*** hidden *** ) @ Q:\140066.deu\Office14\WINWORDC.EXE [3348] 0x5EAE0000
Library Q:\140066.deu\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\MSO.DLL (*** hidden *** ) @ Q:\140066.deu\Office14\WINWORDC.EXE [3348] 0x616C0000
Library Q:\140066.deu\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF (*** hidden *** ) @ Q:\140066.deu\Office14\WINWORDC.EXE [3348] 0x62E90000
Library Q:\140066.deu\Office14\1031\WWINTLC.DLL (*** hidden *** ) @ Q:\140066.deu\Office14\WINWORDC.EXE [3348] 0x62D90000
Library Q:\140066.deu\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\1031\MSOINTL.DLL (*** hidden *** ) @ Q:\140066.deu\Office14\WINWORDC.EXE [3348] 0x62A80000
Library Q:\140066.deu\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\MSPTLS.DLL (*** hidden *** ) @ Q:\140066.deu\Office14\WINWORDC.EXE [3348] 0x629C0000
Library Q:\140066.deu\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\RICHED20.DLL (*** hidden *** ) @ Q:\140066.deu\Office14\WINWORDC.EXE [3348] 0x5E990000
Library Q:\140066.deu\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\MSORES.DLL (*** hidden *** ) @ Q:\140066.deu\Office14\WINWORDC.EXE [3348] 0x5A460000
Library Q:\140066.deu\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\USP10.DLL (*** hidden *** ) @ Q:\140066.deu\Office14\WINWORDC.EXE [3348] 0x64A10000
Library Q:\140066.deu\Office14\msproof7.dll (*** hidden *** ) @ Q:\140066.deu\Office14\WINWORDC.EXE [3348] 0x69190000
Library Q:\140066.deu\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\PROOF\MSLID.DLL (*** hidden *** ) @ Q:\140066.deu\Office14\WINWORDC.EXE [3348] 0x64750000
Library Q:\140066.deu\OFFICE14\PROOF\MSSP7GE.DLL (*** hidden *** ) @ Q:\140066.deu\Office14\WINWORDC.EXE [3348] 0x59E30000
Library Q:\140066.deu\OFFICE14\PROOF\1031\MSGR3GE.DLL (*** hidden *** ) @ Q:\140066.deu\Office14\WINWORDC.EXE [3348] 0x58D70000
Library Q:\140066.deu\Office14\mscss7ge.dll (*** hidden *** ) @ Q:\140066.deu\Office14\WINWORDC.EXE [3348] 0x64700000
Library Q:\140066.deu\Office14\css7Data0007.dll (*** hidden *** ) @ Q:\140066.deu\Office14\WINWORDC.EXE [3348] 0x61640000
Library Q:\140066.deu\OFFICE14\PROOF\1033\MSGR3EN.DLL (*** hidden *** ) @ Q:\140066.deu\Office14\WINWORDC.EXE [3348] 0x58A50000
---- EOF - GMER 2.1 ---- --- --- ---
...und hier die beiden Logs von OTL:
OTL Logfile: Code:
OTL logfile created on: 2/19/2013 5:13:15 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Butz\Downloads
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
3.00 Gb Total Physical Memory | 1.84 Gb Available Physical Memory | 61.49% Memory free
6.00 Gb Paging File | 4.74 Gb Available in Paging File | 79.11% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 890.41 Gb Total Space | 849.87 Gb Free Space | 95.45% Space Free | Partition Type: NTFS
Drive D: | 40.00 Gb Total Space | 23.52 Gb Free Space | 58.80% Space Free | Partition Type: NTFS
Computer Name: BUTZ-PC | User Name: Butz | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - File not found --
PRC - [2013/02/19 17:12:40 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Butz\Downloads\OTL.exe
PRC - [2013/02/18 17:46:29 | 001,820,016 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe
PRC - [2013/02/07 16:01:46 | 000,917,400 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/12/18 20:08:28 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012/11/23 03:48:41 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2012/09/12 17:25:24 | 000,287,824 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\NisSrv.exe
PRC - [2012/09/12 17:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2012/09/12 17:19:44 | 000,947,176 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2011/10/01 08:30:42 | 000,219,496 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
PRC - [2011/10/01 08:30:36 | 000,508,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
PRC - [2011/02/25 06:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/05/27 17:59:54 | 000,376,832 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2010/05/27 17:59:30 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2010/03/04 04:16:04 | 000,284,696 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
PRC - [2010/02/28 01:33:14 | 000,077,664 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe
PRC - [2009/11/02 22:21:26 | 000,103,720 | ---- | M] (CyberLink) -- C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
PRC - [2007/07/24 10:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
PRC - [2007/01/02 11:47:16 | 000,520,192 | ---- | M] () -- C:\Windows\Samsung\PanelMgr\SSMMgr.exe
========== Modules (No Company Name) ==========
MOD - [2013/02/18 17:46:28 | 014,717,808 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32_11_6_602_168.dll
MOD - [2013/02/15 17:54:41 | 011,833,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\5ecf01964c70e453d71e5d7653912ff9\System.Web.ni.dll
MOD - [2013/02/15 17:54:29 | 012,436,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\cb562e2e4f74ae607f1186f6ec50cec7\System.Windows.Forms.ni.dll
MOD - [2013/02/07 16:01:27 | 003,023,256 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2013/01/13 17:13:03 | 000,452,608 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\f7cb3ae5de64f8cbde3ccc57c780743a\IAStorUtil.ni.dll
MOD - [2013/01/10 20:52:11 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\90b89f6e8032310e9ac72a309fd49e83\System.Runtime.Remoting.ni.dll
MOD - [2013/01/10 20:51:43 | 001,592,832 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\eead6629e384a5b69f9ae35284b7eeed\System.Drawing.ni.dll
MOD - [2013/01/10 20:51:27 | 005,453,312 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\f687c43e9fdec031988b33ae722c4613\System.Xml.ni.dll
MOD - [2013/01/10 20:51:24 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\195a77fcc6206f8bb35d419ff2cf0d72\System.Configuration.ni.dll
MOD - [2013/01/10 20:51:23 | 007,989,760 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\369f8bdca364e2b4936d18dea582912c\System.ni.dll
MOD - [2013/01/10 20:51:18 | 011,493,376 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7150b9136fad5b79e88f6c7f9d3d2c39\mscorlib.ni.dll
MOD - [2010/11/13 01:02:22 | 000,434,176 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Windows.Forms.resources\2.0.0.0_de_b77a5c561934e089\System.Windows.Forms.resources.dll
MOD - [2010/11/13 01:02:21 | 000,315,392 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_de_b77a5c561934e089\mscorlib.resources.dll
MOD - [2010/05/27 20:40:48 | 000,270,336 | ---- | M] () -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
MOD - [2010/05/12 14:12:47 | 000,032,768 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting.resources\2.0.0.0_de_b77a5c561934e089\System.Runtime.Remoting.resources.dll
MOD - [2010/02/28 01:33:14 | 000,077,664 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe
MOD - [2009/11/02 22:23:36 | 000,013,096 | ---- | M] () -- C:\Program Files\CyberLink\Power2Go\CLMLSvcPS.dll
MOD - [2009/11/02 22:20:10 | 000,619,816 | ---- | M] () -- C:\Program Files\CyberLink\Power2Go\CLMediaLibrary.dll
MOD - [2007/01/02 11:47:16 | 000,520,192 | ---- | M] () -- C:\Windows\Samsung\PanelMgr\SSMMgr.exe
========== Services (SafeList) ==========
SRV - File not found [Auto | Stopped] -- C:\Program Files\Wajam\Updater\WajamUpdater.exe -- (WajamUpdater)
SRV - [2013/02/07 16:01:46 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/12/18 20:08:28 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/09/12 17:25:24 | 000,287,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - [2012/09/12 17:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2011/10/01 08:30:42 | 000,219,496 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
SRV - [2011/10/01 08:30:36 | 000,508,776 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
SRV - [2010/05/27 17:59:30 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2010/03/04 04:16:06 | 000,013,336 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc)
SRV - [2009/07/14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend)
SRV - [2007/07/24 10:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Auto | Running] -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
========== Driver Services (SafeList) ==========
DRV - File not found [Kernel | On_Demand | Stopped] -- I:\DIAGNOSE\WSTGER32\2PART\uxddrv86.sys -- (uxddrv)
DRV - File not found [Kernel | Auto | Stopped] -- -- (ASPI32)
DRV - [2012/08/30 22:03:50 | 000,099,272 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2011/10/01 08:30:42 | 000,019,304 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Sftvollh.sys -- (Sftvol)
DRV - [2011/10/01 08:30:40 | 000,021,864 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\Sftredirlh.sys -- (Sftredir)
DRV - [2011/10/01 08:30:38 | 000,194,408 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Sftplaylh.sys -- (Sftplay)
DRV - [2011/10/01 08:30:36 | 000,579,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Sftfslh.sys -- (Sftfs)
DRV - [2010/11/25 06:59:16 | 000,603,240 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTL8192su.sys -- (RTL8192su)
DRV - [2010/11/20 11:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 10:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/05/27 18:38:24 | 005,586,432 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag)
DRV - [2010/05/27 17:25:18 | 000,209,920 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)
DRV - [2010/05/06 10:21:42 | 000,108,560 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2006/12/08 01:50:43 | 000,005,120 | ---- | M] (Samsung Electronics) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\SSPORT.SYS -- (SSPORT)
DRV - [2006/12/08 01:50:42 | 000,041,984 | ---- | M] (Samsung Electronics Co., Ltd.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\DGIVECP.SYS -- (DgiVecp)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.aldi.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://medion.msn.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://medion.msn.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.babylon.com/?affID=109958&tt=4712_2&babsrc=HP_ss&mntrId=5ef7949100000000000074f06d53c40c
IE - HKCU\..\SearchScopes,DefaultScope = {95B7759C-8C7F-4BF1-B163-73684A933233}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{0A50410E-0AD8-4E25-82E1-2EFB5BF6040D}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&form=MEDTDF&pc=MAMD&src=IE-SearchBox
IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = hxxp://search.babylon.com/?q={searchTerms}&affID=109958&tt=4712_2&babsrc=SP_ss&mntrId=5ef7949100000000000074f06d53c40c
IE - HKCU\..\SearchScopes\{73C45BF4-7CF6-42ED-84CD-510A85B13BBE}: "URL" = hxxp://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=OSJ000&apn_uid=3C85B2E6-CA5B-48E0-95B8-D586642C7770&apn_sauid=D3E0C41C-2833-471C-93AA-ADE8931EEE29
IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = hxxp://isearch.avg.com/search?cid={CC9A5B2A-8D9E-45A0-9F5B-6A50A9776A5B}&mid=a210dda5304547d68648bd2b2bbf4d49-ad1491be2ce6c122f6b66faa90e70c2decf7d34c&lang=en&ds=AVG&pr=fr&d=&v=&sap=dsp&q={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ==========
FF - prefs.js..browser.search.defaultengine: "Google"
FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "hxxp://www.gmx.net/"
FF - prefs.js..extensions.enabledAddons: toolbar%40gmx.net:2.3.4
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:18.0.2
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_6_602_168.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.9.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.9.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/02/07 16:01:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 18.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/02/07 16:01:47 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 18.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
[2011/06/16 10:52:25 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Butz\AppData\Roaming\mozilla\Extensions
[2012/11/26 18:23:00 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Butz\AppData\Roaming\mozilla\Firefox\Profiles\hk6kzvs4.default\extensions
[2012/11/22 20:48:33 | 000,500,206 | ---- | M] () (No name found) -- C:\Users\Butz\AppData\Roaming\mozilla\firefox\profiles\hk6kzvs4.default\extensions\toolbar@gmx.net.xpi
[2013/02/07 16:01:22 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\mozilla firefox\extensions
[2013/02/07 16:01:22 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}
[2013/02/07 16:01:17 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\mozilla firefox\distribution\extensions
[2013/02/07 16:01:20 | 000,000,000 | ---D | M] (GMX Toolbar) -- C:\Program Files\mozilla firefox\distribution\extensions\toolbar@gmx.net
[2013/02/07 16:01:47 | 000,262,552 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/10/29 13:08:16 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012/11/19 13:38:03 | 000,002,349 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
[2012/10/29 13:08:16 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/10/29 13:08:16 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2012/10/29 13:08:16 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2012/10/29 13:08:16 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2012/10/29 13:08:16 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
O1 HOSTS File: ([2009/06/10 22:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll File not found
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Wajam) - {A7A6995D-6EE1-4FD1-A258-49395D5BF99C} - C:\Program Files\Wajam\IE\priam_bho.dll File not found
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O4 - HKLM..\Run: [CLMLServer] C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe (CyberLink)
O4 - HKLM..\Run: [hp Update 3300C] C:\sj650\hpupdate.exe (Hewlett-Packard)
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\SSMMgr.exe ()
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra Button: eBay - Der weltweite Online-Marktplatz - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-31/4 File not found
O9 - Extra 'Tools' menuitem : eBay - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-31/4 File not found
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 10.9.2)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3C7E6CD9-BDFA-4788-AA0F-146DE9693532}: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{2a99b6f7-ce04-11df-a31b-6c626d5ba4ba}\Shell - "" = AutoRun
O33 - MountPoints2\{2a99b6f7-ce04-11df-a31b-6c626d5ba4ba}\Shell\AutoRun\command - "" = I:\OnSpcLCK.exe
O33 - MountPoints2\{801fd1f2-465b-11e0-851e-74f06d53c40c}\Shell - "" = AutoRun
O33 - MountPoints2\{801fd1f2-465b-11e0-851e-74f06d53c40c}\Shell\AutoRun\command - "" = I:\CD_Start.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
========== Files/Folders - Created Within 30 Days ==========
[2013/02/18 17:53:16 | 000,000,000 | ---D | C] -- C:\Users\Butz\AppData\Local\Macromedia
[2013/02/18 17:53:16 | 000,000,000 | ---D | C] -- C:\Users\Butz\AppData\Roaming\Adobe
[2013/02/18 17:46:29 | 000,691,568 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2013/02/18 17:46:29 | 000,071,024 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2013/02/18 17:39:48 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2013/02/18 17:32:13 | 000,000,000 | ---D | C] -- C:\Users\Butz\AppData\Roaming\Malwarebytes
[2013/02/18 17:32:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013/02/18 17:32:00 | 000,021,104 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2013/02/18 17:32:00 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013/02/18 17:31:42 | 000,000,000 | ---D | C] -- C:\Users\Butz\AppData\Local\Programs
[2013/02/18 17:17:17 | 000,000,000 | ---D | C] -- C:\sh4ldr
[2013/02/18 17:17:17 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2013/02/18 17:16:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2013/02/15 11:32:02 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2013/02/15 11:32:01 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2013/02/15 11:32:01 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2013/02/15 11:32:00 | 000,607,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2013/02/15 11:32:00 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2013/02/15 11:31:59 | 001,800,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2013/02/15 11:31:59 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2013/02/15 11:31:57 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2013/02/15 11:27:33 | 002,347,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2013/02/15 11:27:28 | 003,967,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2013/02/15 11:27:28 | 003,913,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2013/02/15 11:27:26 | 000,187,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\FWPKCLNT.SYS
[2013/02/15 11:27:25 | 000,169,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winsrv.dll
[2013/02/07 16:01:17 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2013/02/19 17:11:51 | 000,000,162 | -H-- | M] () -- C:\Users\Butz\Desktop\~$ojaner-Board.odt
[2013/02/19 17:11:11 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/02/19 17:11:06 | 2415,321,088 | -HS- | M] () -- C:\hiberfil.sys
[2013/02/19 16:54:57 | 000,026,940 | ---- | M] () -- C:\Users\Butz\Desktop\Trojaner-Board.odt
[2013/02/19 16:51:29 | 000,009,888 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/02/19 16:51:29 | 000,009,888 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/02/19 16:50:45 | 000,000,000 | ---- | M] () -- C:\Users\Butz\defogger_reenable
[2013/02/18 17:52:33 | 000,001,993 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader XI.lnk
[2013/02/18 17:46:29 | 000,691,568 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2013/02/18 17:46:29 | 000,071,024 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2013/02/18 17:32:06 | 000,001,071 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/02/16 21:59:23 | 000,001,993 | ---- | M] () -- C:\Users\Butz\Desktop\CyberLink Power2Go.lnk
[2013/02/16 21:31:43 | 000,654,594 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2013/02/16 21:31:43 | 000,616,476 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/02/16 21:31:43 | 000,130,208 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2013/02/16 21:31:43 | 000,106,598 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/02/16 21:31:17 | 000,011,776 | ---- | M] () -- C:\Users\Butz\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013/02/15 17:53:33 | 000,305,152 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2013/01/30 11:53:21 | 000,232,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
========== Files Created - No Company Name ==========
[2013/02/19 17:11:51 | 000,000,162 | -H-- | C] () -- C:\Users\Butz\Desktop\~$ojaner-Board.odt
[2013/02/19 16:54:54 | 000,026,940 | ---- | C] () -- C:\Users\Butz\Desktop\Trojaner-Board.odt
[2013/02/19 16:50:45 | 000,000,000 | ---- | C] () -- C:\Users\Butz\defogger_reenable
[2013/02/18 17:52:33 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
[2013/02/18 17:52:33 | 000,001,993 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader XI.lnk
[2013/02/18 17:32:06 | 000,001,071 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2011/08/12 09:42:02 | 000,000,118 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2011/06/10 06:34:52 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2011/04/20 09:04:24 | 000,306,688 | ---- | C] () -- C:\Windows\System32\Lffpx7.dll
[2011/04/20 09:04:24 | 000,095,232 | ---- | C] () -- C:\Windows\System32\Lfkodak.dll
[2010/10/02 11:23:21 | 000,011,776 | ---- | C] () -- C:\Users\Butz\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/02 10:10:06 | 000,000,952 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys
========== ZeroAccess Check ==========
[2011/11/17 06:38:39 | 000,000,000 | -HSD | M] -- C:\Users\Butz\AppData\Local\{25acc865-1727-95dc-b988-8bd5cdec6c00}\L
[2011/11/17 06:38:39 | 000,000,000 | -HSD | M] -- C:\Users\Butz\AppData\Local\{25acc865-1727-95dc-b988-8bd5cdec6c00}\U
[2009/07/14 05:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 05:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 13:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/14 02:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
========== Alternate Data Streams ==========
@Alternate Data Stream - 145 bytes -> C:\ProgramData\Temp:373E1720
< End of report > --- --- ---
OTL Logfile: Code:
OTL Extras logfile created on: 2/19/2013 5:13:15 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Butz\Downloads
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
3.00 Gb Total Physical Memory | 1.84 Gb Available Physical Memory | 61.49% Memory free
6.00 Gb Paging File | 4.74 Gb Available in Paging File | 79.11% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 890.41 Gb Total Space | 849.87 Gb Free Space | 95.45% Space Free | Partition Type: NTFS
Drive D: | 40.00 Gb Total Space | 23.52 Gb Free Space | 58.80% Space Free | Partition Type: NTFS
Computer Name: BUTZ-PC | User Name: Butz | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- Reg Error: Key error. File not found
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- Reg Error: Key error.
htmlfile [opennew] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Browse with &IrfanView] -- "C:\Program Files\IrfanView\i_view32.exe" "%1 /thumbs" (Irfan Skiljan)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- Reg Error: Key error.
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Key error.
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{03367673-EA2C-4B0D-B4CB-A15024C13C9B}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{0E121B8D-C224-4C11-97C1-AB6D42BF8F66}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{1496F3F7-EFBC-46BE-ACDD-AF9F87ACBB22}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{17F93039-E0FA-47E5-98D6-299B21DA7164}" = rport=139 | protocol=6 | dir=out | app=system |
"{1F42DA64-2956-4462-851B-60E3B606F45B}" = rport=445 | protocol=6 | dir=out | app=system |
"{23210593-D4B5-426D-9C4A-386C9BE88D7D}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{233A4542-2311-4000-824A-0614808EDA58}" = lport=10243 | protocol=6 | dir=in | app=system |
"{25AADFD1-5E63-418A-8AF6-8FA45351D6DD}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{262AA7ED-C984-4BCC-9A55-40F48AAF0D33}" = lport=139 | protocol=6 | dir=in | app=system |
"{2C89F6E2-8F73-4541-98EC-AC69A5B91A70}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{4ACE646C-C9C1-416D-8860-D16C32ADB32B}" = rport=10243 | protocol=6 | dir=out | app=system |
"{50BC5E54-AF9E-44AA-99B1-ED9FDC036494}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{76A14684-1D21-4132-A207-D499592A0C70}" = lport=445 | protocol=6 | dir=in | app=system |
"{7C74D6CD-518A-46E1-A353-636DF0C1E19C}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{8C2455F1-B6D2-4AAE-96C8-9F32023FDA88}" = rport=137 | protocol=17 | dir=out | app=system |
"{9A36B861-EBAF-4D6C-B16F-7F9174C246D6}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{A48F2149-CC0F-4569-9893-12B754FA8057}" = lport=138 | protocol=17 | dir=in | app=system |
"{A5CDD27F-0207-403C-83B9-7411D4F69C20}" = lport=2869 | protocol=6 | dir=in | app=system |
"{A62CCF45-EB6C-419A-8671-C07DAC5B90DF}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{AB224FD7-7B50-4625-8008-B7F2F68ABB71}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{D4746E1A-E760-4372-86D9-DFFFCF8DC966}" = lport=137 | protocol=17 | dir=in | app=system |
"{D4DA7B4A-803B-46A9-8508-068046B9C8BE}" = rport=138 | protocol=17 | dir=out | app=system |
"{F5DA69BA-6BB1-49AA-A6CA-60CC984A501A}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0AE6BA05-93F2-4D0B-8BF6-4819A81B3583}" = protocol=6 | dir=in | app=c:\program files\avg\avg2013\avgmfapx.exe |
"{19894A62-A006-4548-B1A9-1C97D959534E}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{21500E78-FA63-4537-8B33-37D3B9FE1B8E}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{2C20A91C-5654-4E62-AD7F-04D89D0A1A37}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{397F948C-9218-4539-AD0B-ECA5EE7CF9B7}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{495A7DE7-85AE-46EB-AEDC-BAD431D3D613}" = protocol=6 | dir=out | app=system |
"{63CC0B04-F738-4E02-8C31-0ECFCC8B9ABF}" = protocol=17 | dir=in | app=c:\program files\avg\avg2012\avgmfapx.exe |
"{6CA97596-D894-4E7B-90B4-8376281DB14B}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{8345497E-4702-496F-9B59-46DCA1D69C57}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{9059BFFE-0597-4B6D-A5E7-B80D460D1B61}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{A1912181-9A2B-4AFE-9CEB-9F9B57FB3EDC}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{A6A616D5-30A6-445E-A040-A125EC2162DD}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{ADD1BF8D-2AEC-4387-A1B7-CDBA4B3EE2D3}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{BB73F38A-A6CD-4184-90E7-E0E777D76604}" = protocol=6 | dir=in | app=c:\program files\avg\avg2012\avgmfapx.exe |
"{C5E4D889-2BEA-498E-9B82-DC82D82BF773}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{CE4CA937-7AE6-4EF3-BAE7-2E1FDEF1C93B}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{E8066667-BD23-498E-9EA9-7016DC7996CB}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{F3B2A8E2-A423-4CF7-A5F4-E8B350B27933}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{F572FB04-2C56-4001-8927-ADD69ED29577}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{FBD3C46C-9E34-4F71-9007-91DE9D8B5F57}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |
"{FD547BBD-EE6B-4A71-914A-B127040C3644}" = protocol=17 | dir=in | app=c:\program files\avg\avg2013\avgmfapx.exe |
"TCP Query User{25701619-AC61-4A4C-BA61-602B27ABB9A2}C:\windows\system32\taskhost.exe" = protocol=6 | dir=in | app=c:\windows\system32\taskhost.exe |
"TCP Query User{4F45A347-A493-4096-85BE-95156569B5C0}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
"UDP Query User{6BC5A207-B066-4AAB-A835-116C26FD2680}C:\windows\system32\taskhost.exe" = protocol=17 | dir=in | app=c:\windows\system32\taskhost.exe |
"UDP Query User{E3E0082D-1708-4105-9B69-5F8AF0673EFF}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"_{C0237AA4-1BFB-46EA-860D-7B0EB365CA13}" = CorelDRAW Essentials 4
"_{CF0ADC18-6D8F-4353-8EAA-DF45456B7853}" = CorelDRAW Essentials 4 - Windows Shell Extension
"{06E6E30D-B498-442F-A943-07DE41D7F785}" = Microsoft Search Enhancement Pack
"{07B62101-7EBD-434A-94B1-B38063BE5516}" = CorelDRAW Essentials 4 - PHOTO-PAINT
"{093561FF-BC54-CD42-77BD-4885F16C60B7}" = CCC Help Danish
"{0ED4216F-3540-4D6B-8199-1C8DDEA3924B}" = CorelDRAW Essentials 4 - Lang DE
"{17D39326-BF2B-FCE9-DE84-58EE76F945CD}" = CCC Help French
"{19AC095C-3520-4999-AA15-93B6D0248A50}" = CorelDRAW Essentials 4 - Content
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216016F0}" = Java(TM) 6 Update 16
"{26A24AE4-039D-4CA4-87B4-2F83216033FF}" = Java(TM) 6 Update 33
"{26A24AE4-039D-4CA4-87B4-2F83217009FF}" = Java 7 Update 9
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{34A9406E-1994-4C20-AC72-04CFA2B24545}" = CorelDRAW Essentials 4 - Lang EN
"{3576C335-958D-4D60-A812-F68F9A2796AF}" = CorelDRAW Essentials 4 - Lang IT
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel(R) Rapid Storage Technology
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A4940D6-418E-867B-F214-2B0C58E7961D}" = CCC Help Swedish
"{5500BB35-1C21-4328-9F16-F894B860FADE}" = CorelDRAW Essentials 4 - Lang NL
"{586509F0-350D-48B5-B763-9CC2F8D96C4C}" = Windows Live Sync
"{6AFCA4E1-9B78-3640-8F72-A7BF33448200}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{701BDB1B-8D00-8C67-6F64-BDD3B58EC827}" = CCC Help Norwegian
"{70AA9B4F-64F7-4B0D-ADD8-05802D61AF72}" = Windows Live Toolbar
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{76E852ED-1B06-4BC8-9D6A-625DB95FB7E5}" = CorelDRAW Essentials 4 - IPM - No VBA
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{850C7BD3-9F3F-46AD-9396-E7985B38C55E}" = Windows Live Fotogalerie
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8D1E61D1-1395-4E97-997F-D002DB3A5074}" = OpenOffice.org 3.2
"{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update
"{90140000-006D-0407-0000-0000000FF1CE}" = Microsoft Office Klick-und-Los 2010
"{90140011-0066-0407-0000-0000000FF1CE}" = Microsoft Office Starter 2010 - Deutsch
"{9043B9A0-9505-405B-8202-E7167A38A89C}" = CorelDRAW Essentials 4
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95140000-0070-0000-0000-0000000FF1CE}" = Microsoft Office 2010
"{98EABC7F-B1A1-43A5-B505-5B4EC3908DCD}" = Microsoft Security Client
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A7496F46-78AE-4DB2-BCF5-95F210FA6F96}" = Windows Live Movie Maker
"{AB770FDE-8087-4C98-9A85-BD64262C104C}" = Medion Home Cinema
"{ABD8B955-1C69-4AF3-949B-13CD587C175F}" = CorelDRAW Essentials 4 - Lang BR
"{AC76BA86-7AD7-1031-7B44-AB0000000001}" = Adobe Reader XI (11.0.01) - Deutsch
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B355AD55-ED88-4A46-015D-51AAD00EB57D}" = CCC Help Japanese
"{B95FB6E3-8373-52BC-C824-8DDB1D6DD049}" = CCC Help Dutch
"{B9FA9F15-A1F3-4DB1-AD49-0B9351843FAA}" = CorelDRAW Essentials 4 - Draw
"{BA9319FE-BCEF-4C99-8039-F464648D046E}" = CorelDRAW Essentials 4 - Lang FR
"{BAC80EF3-E106-4AEA-8C57-F217F9BC7358}" = Microsoft SQL Server 2005 Compact Edition [DEU]
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{BE4AE3A7-190D-BCB8-A953-A708C9E8E8AA}" = ATI Catalyst Install Manager
"{C0237AA4-1BFB-46EA-860D-7B0EB365CA13}" = CorelDRAW Essentials 4 - ICA
"{C09C15F5-DDB7-3820-CF1A-798051174EC7}" = CCC Help Italian
"{C2214950-8342-4878-1286-31D0F07FDC34}" = Catalyst Control Center Localization All
"{C39F6C00-142E-48AC-633F-15E6AA7E24D8}" = Catalyst Control Center Graphics Previews Vista
"{C47D990B-5D5C-B6A6-A04D-676379D39170}" = CCC Help English
"{C4D738F7-996A-4C81-B8FA-C4E26D767E41}" = Windows Live Mail
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = CyberLink LabelPrint
"{C682F3F0-00A6-4379-B083-4F3273624D7B}" = CorelDRAW Essentials 4 - Lang ES
"{C7105B49-9E6E-C93C-74E6-858B0863F604}" = Catalyst Control Center InstallProxy
"{CAFA57E8-8927-4912-AFCF-B0AA3837E989}" = Windows Live Essentials
"{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}" = PlayReady PC Runtime x86
"{CF0ADC18-6D8F-4353-8EAA-DF45456B7853}" = CorelDRAW Essentials 4 - Windows Shell Extension
"{CF52C7EA-BDEF-A58F-6F33-0431076766C8}" = ccc-utility
"{D7C7EA35-4C51-F874-3AB7-95DC40DDA494}" = CCC Help German
"{D81845B4-5239-AD56-39A5-9FCFE528330F}" = ccc-core-static
"{DFD284CD-501F-B36C-67D9-05D4D7D590AB}" = CCC Help Spanish
"{E0A4805D-280A-4DD7-9E74-3A5F85E302A1}" = Windows Live Writer
"{E3D04529-6EDB-11D8-A372-0050BAE317E1}" = CyberLink PowerDVD Copy
"{E503B4BF-F7BB-3D5F-8BC8-F694B1CFF942}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
"{EAC1A606-1D31-AC37-90DD-5684A6E7D2E8}" = CCC Help Finnish
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F16841F6-5F0F-4DBE-B318-63CEB916F21D}" = CorelDRAW Essentials 4 - Filters
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"ALDI SÜD Mah Jong" = ALDI SÜD Mah Jong
"CCleaner" = CCleaner
"ElsterFormular für Privatanwender 12.2.0.6412p" = ElsterFormular für Privatanwender
"Forte Free" = Forte Free 2.0
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
"InstallShield_{AB770FDE-8087-4C98-9A85-BD64262C104C}" = Medion Home Cinema
"InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = CyberLink LabelPrint
"InstallShield_{E3D04529-6EDB-11D8-A372-0050BAE317E1}" = CyberLink PowerDVD Copy
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.70.0.1100
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox 18.0.2 (x86 de)" = Mozilla Firefox 18.0.2 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Office14.Click2Run" = Microsoft Office Klick-und-Los 2010
"Samsung ML-2010 Series" = Samsung ML-2010 Series
"WinLiveSuite_Wave3" = Windows Live Essentials
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 8/27/2012 4:17:38 AM | Computer Name = Butz-PC | Source = Application Hang | ID = 1002
Description = Programm firefox.exe, Version 11.0.0.4454 kann nicht mehr unter Windows
ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung,
um nach weiteren Informationen zum Problem zu suchen. Prozess-ID: 1084 Startzeit:
01cd8429010a9495 Endzeit: 28 Anwendungspfad: C:\Program Files\Mozilla Firefox\firefox.exe
Berichts-ID:
996307bb-f01f-11e1-a339-74f06d53c40c
Error - 8/30/2012 5:27:07 AM | Computer Name = Butz-PC | Source = CVHSVC | ID = 100
Description = Nur zur Information. (Patch task for {90140011-0066-0407-0000-0000000FF1CE}):
DownloadLatest Failed:
Error - 11/1/2012 10:08:37 AM | Computer Name = Butz-PC | Source = Application Hang | ID = 1002
Description = Programm firefox.exe, Version 16.0.2.4680 kann nicht mehr unter Windows
ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung,
um nach weiteren Informationen zum Problem zu suchen. Prozess-ID: 1370 Startzeit:
01cdb839bfd971d5 Endzeit: 16 Anwendungspfad: C:\Program Files\Mozilla Firefox\firefox.exe
Berichts-ID:
79874020-242d-11e2-9ee2-6c626d5ba4ba
Error - 11/26/2012 1:17:59 PM | Computer Name = Butz-PC | Source = Windows Search Service | ID = 1019
Description =
Error - 11/26/2012 1:23:57 PM | Computer Name = Butz-PC | Source = Windows Search Service | ID = 1019
Description =
Error - 11/26/2012 1:33:35 PM | Computer Name = Butz-PC | Source = Windows Search Service | ID = 1019
Description =
Error - 12/14/2012 8:23:31 AM | Computer Name = Butz-PC | Source = CVHSVC | ID = 100
Description = Nur zur Information. (Patch task for {90140011-0066-0407-0000-0000000FF1CE}):
DownloadLatest Failed:
Error - 1/2/2013 2:15:15 PM | Computer Name = Butz-PC | Source = CVHSVC | ID = 100
Description = Nur zur Information. (Patch task for {90140011-0066-0407-0000-0000000FF1CE}):
DownloadLatest Failed:
Error - 1/11/2013 9:18:10 AM | Computer Name = Butz-PC | Source = Application Hang | ID = 1002
Description = Programm firefox.exe, Version 17.0.1.4715 kann nicht mehr unter Windows
ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung,
um nach weiteren Informationen zum Problem zu suchen. Prozess-ID: 300 Startzeit:
01cdeffdbdfbfb61 Endzeit: 30 Anwendungspfad: C:\Program Files\Mozilla Firefox\firefox.exe
Berichts-ID:
532bba22-5bf1-11e2-bcc4-6c626d5ba4ba
Error - 1/29/2013 12:10:28 PM | Computer Name = Butz-PC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: svchost.exe_LanmanServer, Version:
6.1.7600.16385, Zeitstempel: 0x4a5bc100 Name des fehlerhaften Moduls: unknown, Version:
0.0.0.0, Zeitstempel: 0x00000000 Ausnahmecode: 0xc0000005 Fehleroffset: 0x00000000
ID
des fehlerhaften Prozesses: 0x434 Startzeit der fehlerhaften Anwendung: 0x01cdfe3b188b4ca5
Pfad
der fehlerhaften Anwendung: C:\Windows\system32\svchost.exe Pfad des fehlerhaften
Moduls: unknown Berichtskennung: 6565690d-6a2e-11e2-adfa-6c626d5ba4ba
Error - 2/18/2013 12:20:07 PM | Computer Name = Butz-PC | Source = Application Hang | ID = 1002
Description = Programm Explorer.EXE, Version 6.1.7601.17567 kann nicht mehr unter
Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf
in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem
zu suchen. Prozess-ID: 664 Startzeit: 01ce0df12c0a80e4 Endzeit: 29 Anwendungspfad:
C:\Windows\Explorer.EXE Berichts-ID:
[ System Events ]
Error - 2/19/2013 5:55:27 AM | Computer Name = Butz-PC | Source = Service Control Manager | ID = 7000
Description = Der Dienst "WajamUpdater" wurde aufgrund folgenden Fehlers nicht gestartet:
%%2
Error - 2/19/2013 10:10:26 AM | Computer Name = Butz-PC | Source = Service Control Manager | ID = 7000
Description = Der Dienst "ASPI32" wurde aufgrund folgenden Fehlers nicht gestartet:
%%2
Error - 2/19/2013 10:10:26 AM | Computer Name = Butz-PC | Source = Service Control Manager | ID = 7000
Description = Der Dienst "DgiVecp" wurde aufgrund folgenden Fehlers nicht gestartet:
%%20
Error - 2/19/2013 10:10:28 AM | Computer Name = Butz-PC | Source = Service Control Manager | ID = 7000
Description = Der Dienst "WajamUpdater" wurde aufgrund folgenden Fehlers nicht gestartet:
%%2
Error - 2/19/2013 11:44:18 AM | Computer Name = Butz-PC | Source = Service Control Manager | ID = 7000
Description = Der Dienst "ASPI32" wurde aufgrund folgenden Fehlers nicht gestartet:
%%2
Error - 2/19/2013 11:44:18 AM | Computer Name = Butz-PC | Source = Service Control Manager | ID = 7000
Description = Der Dienst "DgiVecp" wurde aufgrund folgenden Fehlers nicht gestartet:
%%20
Error - 2/19/2013 11:44:22 AM | Computer Name = Butz-PC | Source = Service Control Manager | ID = 7000
Description = Der Dienst "WajamUpdater" wurde aufgrund folgenden Fehlers nicht gestartet:
%%2
Error - 2/19/2013 12:11:16 PM | Computer Name = Butz-PC | Source = Service Control Manager | ID = 7000
Description = Der Dienst "ASPI32" wurde aufgrund folgenden Fehlers nicht gestartet:
%%2
Error - 2/19/2013 12:11:16 PM | Computer Name = Butz-PC | Source = Service Control Manager | ID = 7000
Description = Der Dienst "DgiVecp" wurde aufgrund folgenden Fehlers nicht gestartet:
%%20
Error - 2/19/2013 12:11:17 PM | Computer Name = Butz-PC | Source = Service Control Manager | ID = 7000
Description = Der Dienst "WajamUpdater" wurde aufgrund folgenden Fehlers nicht gestartet:
%%2
< End of report > --- --- ---
hoffe das war soweit alles was du benötigt hast!
Bin gespannt auf deine Antwort!
MfG |