| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Suisa - Symptome bereits entferntWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
17.07.2012, 07:59
| #1 |
 |  Suisa - Symptome bereits entfernt Hallo zusammen Und noch ein Computer, der vom Suisa-Virus befallen wurde. Ich habe es bis jetzt geschafft, dass ich wieder normal auf den Computer zugreifen und mit ihm arbeiten kann, d.h. die Symptome habe ich bereits entfernt. Jetzt muss ich einfach noch den Virus selbst entfernen. Das kann ich selbst aber nicht, weil ich keine Ahnung vom Auswerten der Logfiles habe. Ich habe den PC bis jetzt von drei verschiedenen Tools scannen lassen: 1. Malwarebyte's Anti-Malware 2. Microsoft Standalone System Sweeper (MS Security Essentials Offline) 3. OTL Das OTL Logfile sieht folgendermassen aus: OTL Logfile: Code:
ATTFilter OTL logfile created on: 17.07.2012 08:46:52 - Run 1 OTL by OldTimer - Version 3.2.54.0 Folder = F:\Burger-inf\Suisa-Virus_Tools Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000807 | Country: Schweiz | Language: DES | Date Format: dd.MM.yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 50.05% Memory free 4.24 Gb Paging File | 3.05 Gb Available in Paging File | 71.81% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 102.16 Gb Total Space | 37.66 Gb Free Space | 36.86% Space Free | Partition Type: NTFS Drive D: | 46.77 Gb Total Space | 0.46 Gb Free Space | 0.99% Space Free | Partition Type: NTFS Drive F: | 7.45 Gb Total Space | 5.85 Gb Free Space | 78.52% Space Free | Partition Type: FAT32 Computer Name: DESKTOP | User Name: Bruno Bucher | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012.07.13 08:43:16 | 000,596,480 | ---- | M] (OldTimer Tools) -- F:\Burger-inf\Suisa-Virus_Tools\OTL.exe PRC - [2012.05.08 22:12:30 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\sched.exe PRC - [2012.05.08 22:12:29 | 000,086,992 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\ipmgui.exe PRC - [2012.05.08 22:12:21 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe PRC - [2012.05.08 22:12:20 | 000,348,624 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe PRC - [2012.05.08 22:12:20 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe PRC - [2012.04.04 07:53:50 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe PRC - [2012.02.10 11:28:06 | 000,193,816 | ---- | M] (Microsoft Corporation.) -- C:\Programme\Microsoft\BingBar\7.1.361.0\BBSvc.EXE PRC - [2010.04.13 18:40:40 | 000,968,448 | ---- | M] () -- C:\Programme\Second Copy 8\SCVSSSvc.exe PRC - [2009.07.30 16:05:58 | 000,497,000 | ---- | M] (Sony Corporation) -- C:\Programme\Sony\Content Transfer\ContentTransferWMDetector.exe PRC - [2009.04.11 08:28:15 | 000,117,248 | ---- | M] () -- \\?\C:\Windows\System32\wbem\WMIADAP.EXE PRC - [2009.04.11 08:28:03 | 001,233,920 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Sidebar\sidebar.exe PRC - [2009.04.11 08:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2009.02.26 15:24:50 | 000,097,680 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE PRC - [2009.02.04 21:26:38 | 000,128,232 | ---- | M] (CyberLink Corp.) -- C:\Programme\CyberLink\PowerDVD DX\PDVDDXSrv.exe PRC - [2008.01.21 04:25:56 | 000,896,512 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe PRC - [2008.01.21 04:25:56 | 000,202,240 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnscfg.exe PRC - [2008.01.21 04:23:59 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Defender\MSASCui.exe ========== Modules (No Company Name) ========== MOD - [2008.08.20 14:55:48 | 000,159,744 | ---- | M] () -- C:\Windows\System32\atitmmxx.dll ========== Win32 Services (SafeList) ========== SRV - [2012.05.08 22:12:30 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2012.05.08 22:12:20 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2012.04.04 07:53:50 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2012.02.10 11:28:06 | 000,240,408 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Programme\Microsoft\BingBar\7.1.361.0\SeaPort.EXE -- (BBUpdate) SRV - [2012.02.10 11:28:06 | 000,193,816 | ---- | M] (Microsoft Corporation.) [Auto | Running] -- C:\Programme\Microsoft\BingBar\7.1.361.0\BBSvc.EXE -- (BBSvc) SRV - [2011.07.20 06:18:24 | 000,440,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE -- (odserv) SRV - [2010.04.13 18:40:40 | 000,968,448 | ---- | M] () [Auto | Running] -- C:\Programme\Second Copy 8\SCVSSSvc.exe -- (SCVSSService) SRV - [2008.01.21 04:25:56 | 000,896,512 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc) SRV - [2008.01.21 04:23:59 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2006.10.26 14:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp) DRV - [2012.05.08 22:12:32 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2012.05.08 22:12:32 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2011.12.15 16:00:00 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr) DRV - [2010.06.17 15:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2008.08.20 14:55:46 | 003,591,168 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300) DRV - [2008.08.20 14:55:46 | 003,591,168 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag) DRV - [2008.07.16 14:03:20 | 000,212,992 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\k57nd60x.sys -- (k57nd60x) Broadcom NetLink (TM) DRV - [2008.01.21 04:23:50 | 000,251,904 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTBS23.SYS -- (VSTHWBS2) DRV - [2008.01.21 04:23:50 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990} IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7 IE - HKLM\..\SearchScopes\{D50A12EE-0E06-4F53-9B77-DACC1D96785F}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&Form=DLRDF7&pc=MDDR&src={referrer:source?} IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-1164181200-2664092181-1671702511-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/USREL/17 IE - HKU\S-1-5-21-1164181200-2664092181-1671702511-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.ch/ IE - HKU\S-1-5-21-1164181200-2664092181-1671702511-1002\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990} IE - HKU\S-1-5-21-1164181200-2664092181-1671702511-1002\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7SUNC_deCH360 IE - HKU\S-1-5-21-1164181200-2664092181-1671702511-1002\..\SearchScopes\{D50A12EE-0E06-4F53-9B77-DACC1D96785F}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=DLRDF7&pc=MDDR&src=IE-SearchBox IE - HKU\S-1-5-21-1164181200-2664092181-1671702511-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) ========== Chrome ========== CHR - default_search_provider: Google (Enabled) CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms} CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms} CHR - homepage: hxxp://www.google.com CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\12.0.742.100\gcswf32.dll CHR - plugin: Java Deployment Toolkit 6.0.300.12 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll CHR - plugin: Java(TM) Platform SE 6 U30 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll CHR - plugin: Microsoft Office Live Plug-in for Firefox (Enabled) = C:\Program Files\Microsoft\Office Live\npOLW.dll CHR - plugin: Chrome NaCl (Disabled) = C:\Program Files\Google\Chrome\Application\12.0.742.100\ppGoogleNaClPluginChrome.dll CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\12.0.742.100\pdf.dll CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll CHR - plugin: Windows Live\u00AE Photo Gallery (Enabled) = C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll CHR - plugin: Default Plug-in (Enabled) = default_plugin O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Programme\Microsoft\BingBar\7.1.361.0\BingExt.dll (Microsoft Corporation.) O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\7.1.361.0\BingExt.dll (Microsoft Corporation.) O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [ContentTransferWMDetector.exe] C:\Programme\Sony\Content Transfer\ContentTransferWMDetector.exe (Sony Corporation) O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.) O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.) O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation) O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation) O4 - HKU\S-1-5-21-1164181200-2664092181-1671702511-1002..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation) O4 - Startup: C:\Users\Bruno Bucher\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation) O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30) O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.100.0.2 10.150.0.254 195.186.1.162 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{529173BE-998C-4C84-91E8-F62472B015DD}: DhcpNameServer = 10.100.0.2 10.150.0.254 195.186.1.162 O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation) O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Users\Bruno Bucher\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg O24 - Desktop BackupWallPaper: C:\Users\Bruno Bucher\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2012.07.17 02:54:31 | 000,000,000 | ---D | C] -- C:\Windows\Microsoft Antimalware [2012.07.16 13:37:21 | 000,000,000 | -HSD | C] -- C:\found.000 [2012.07.04 21:49:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome ========== Files - Modified Within 30 Days ========== [2012.07.17 08:49:17 | 000,628,504 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2012.07.17 08:49:17 | 000,595,798 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2012.07.17 08:49:17 | 000,126,248 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2012.07.17 08:49:17 | 000,103,872 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2012.07.17 08:45:28 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2012.07.17 08:43:14 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2012.07.17 08:42:07 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2012.07.17 08:42:06 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2012.07.17 08:41:48 | 000,270,736 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2012.07.17 08:41:42 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.07.10 09:22:39 | 000,006,836 | ---- | M] () -- C:\Users\Bruno Bucher\AppData\Local\d3d9caps.dat [2012.07.05 13:03:40 | 000,001,973 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk [2012.07.04 21:48:16 | 000,001,894 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk [2012.07.04 21:07:55 | 000,135,018 | ---- | M] () -- C:\Users\Bruno Bucher\Documents\Documents\tierliste.pdf [2012.06.25 22:27:45 | 000,472,474 | ---- | M] () -- C:\Users\Bruno Bucher\Documents\Documents\Scan0002.pdf [2012.06.24 22:49:34 | 000,307,071 | ---- | M] () -- C:\Users\Bruno Bucher\Documents\Documents\Scan0001.pdf ========== Files Created - No Company Name ========== [2012.07.04 21:49:24 | 000,001,973 | ---- | C] () -- C:\Users\Public\Desktop\Google Chrome.lnk [2012.07.04 21:48:16 | 000,001,894 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk [2012.07.04 21:48:16 | 000,001,804 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk [2012.07.04 21:07:55 | 000,135,018 | ---- | C] () -- C:\Users\Bruno Bucher\Documents\Documents\tierliste.pdf [2012.06.25 22:27:45 | 000,472,474 | ---- | C] () -- C:\Users\Bruno Bucher\Documents\Documents\Scan0002.pdf [2012.06.24 22:49:33 | 000,307,071 | ---- | C] () -- C:\Users\Bruno Bucher\Documents\Documents\Scan0001.pdf [2012.06.09 20:01:19 | 000,000,057 | ---- | C] () -- C:\ProgramData\Ament.ini [2012.04.18 21:47:18 | 000,006,144 | ---- | C] () -- C:\Users\Bruno Bucher\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2012.01.17 20:44:39 | 000,006,836 | ---- | C] () -- C:\Users\Bruno Bucher\AppData\Local\d3d9caps.dat [2012.01.11 16:19:48 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll [2012.01.11 16:19:48 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin [2012.01.11 16:19:12 | 000,062,976 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe [2012.01.09 23:30:05 | 000,010,194 | -HS- | C] () -- C:\ProgramData\475e21p31gxqka8n7paa3h ========== LOP Check ========== [2012.07.17 08:33:06 | 000,032,530 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== < End of report > Hier auch noch die Extras.txt: OTL Logfile: Code:
ATTFilter OTL Extras logfile created on: 17.07.2012 08:46:52 - Run 1
OTL by OldTimer - Version 3.2.54.0 Folder = F:\Burger-inf\Suisa-Virus_Tools
Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000807 | Country: Schweiz | Language: DES | Date Format: dd.MM.yyyy
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 50.05% Memory free
4.24 Gb Paging File | 3.05 Gb Available in Paging File | 71.81% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 102.16 Gb Total Space | 37.66 Gb Free Space | 36.86% Space Free | Partition Type: NTFS
Drive D: | 46.77 Gb Total Space | 0.46 Gb Free Space | 0.99% Space Free | Partition Type: NTFS
Drive F: | 7.45 Gb Total Space | 5.85 Gb Free Space | 78.52% Space Free | Partition Type: FAT32
Computer Name: DESKTOP | User Name: Bruno Bucher | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MI1933~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{725F9484-4E0B-4B7C-A558-A8ED8920F277}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{CB80B6F6-C323-41C3-BF8E-1E5ECC24C0AA}" = lport=2869 | protocol=6 | dir=in | app=system |
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{21D42718-D375-4CDE-A12A-44663D2419B7}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
"{286CA54C-55A7-4E8E-8BB4-64009E3413FB}" = dir=in | app=c:\program files\cyberlink\powerdvd dx\powerdvd.exe |
"{31490839-AD7C-409A-8D56-D204879E12FC}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{45C36154-36B9-450D-AB28-139FB96AE2E5}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{4A106055-A0CC-4BD5-B46C-A623A90083A3}" = dir=in | app=c:\program files\cyberlink\powerdvd dx\pdvddxsrv.exe |
"{501BE05B-CF9A-4E30-AAD1-C86EEECDCDD5}" = protocol=17 | dir=in | app=c:\program files\gnucash\bin\gnucash.exe |
"{5BE425B4-4DD9-40CD-8997-761A18E2E32E}" = dir=in | app=c:\program files\hp\hp officejet 6600\bin\hpnetworkcommunicator.exe |
"{7C05FE84-546A-47BB-88A7-8B26EFBFFF72}" = dir=in | app=c:\program files\hp\hp officejet 6600\bin\devicesetup.exe |
"{A88D1598-E1E1-4627-B3DD-476BEC0C0E55}" = protocol=17 | dir=in | app=c:\program files\gnucash\bin\gconfd-2.exe |
"{CAB7516C-B68A-4C02-8FE1-CEECA4BE9D1C}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{CC544D91-36C8-484D-A65B-5F0969A66185}" = protocol=6 | dir=in | app=c:\program files\gnucash\bin\gnucash.exe |
"{CE7805C5-4E66-473B-A306-AC65168A553B}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |
"{F676D01E-EF56-4A37-B7FF-9E07EDC9D72D}" = protocol=6 | dir=in | app=c:\program files\gnucash\bin\gconfd-2.exe |
"TCP Query User{4624C5C0-7B88-47F3-A2E3-0CDEF927533D}C:\programdata\kaspersky lab setup files\kaspersky internet security 2009\german\setup.exe" = protocol=6 | dir=in | app=c:\programdata\kaspersky lab setup files\kaspersky internet security 2009\german\setup.exe |
"UDP Query User{A3DDC2C2-5CB3-48B5-B04F-CF9143C357CE}C:\programdata\kaspersky lab setup files\kaspersky internet security 2009\german\setup.exe" = protocol=17 | dir=in | app=c:\programdata\kaspersky lab setup files\kaspersky internet security 2009\german\setup.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ED8-B104-03393876DFDF}" = Roxio Creator Tools
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{056E7B58-F436-9614-6CD3-1DFDDD7DA470}" = CCC Help Turkish
"{0626167B-F30A-79EB-9B21-80B83468961A}" = CCC Help Chinese Traditional
"{07159635-9DFE-4105-BFC0-2817DB540C68}" = Roxio Activation Module
"{08D6F386-D362-805B-05D2-79E4AB4F9CB9}" = CCC Help Korean
"{0D397393-9B50-4C52-84D5-77E344289F87}" = Roxio Creator Data
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2390D4C3-8CC7-2074-ACB9-A22ED2E1D4E9}" = CCC Help Portuguese
"{2555521A-9231-2F05-AEBE-FC1E2A7F825F}" = ccc-utility
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 30
"{27C42F0C-9090-97F7-9338-B6BD6DC25BB1}" = CCC Help Japanese
"{2BE84E12-E062-F989-BA16-25D53F343033}" = Skins
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3138EAD3-700B-4A10-B617-B3F8096EE30D}" = Dell Edoc Viewer
"{31CAC150-58B2-F696-D9EB-2FC16C3A8FAA}" = Catalyst Control Center Localization Portuguese
"{34475C54-DA68-DA37-E014-2ADD65AF627F}" = Catalyst Control Center Localization Hungarian
"{3541D8B6-BE96-0E6B-8987-D1CE1FBF848A}" = CCC Help German
"{3A732171-7856-43BD-B828-39B9E2B3E195}" = Catalyst Control Center Localization Spanish
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4207500E-1543-47F3-1695-6728E6520903}" = Catalyst Control Center Graphics Full Existing
"{4453BCB7-5327-F8D1-C048-851310A389EF}" = Catalyst Control Center Localization Turkish
"{4A2D8C96-7B4F-A66A-6773-23F7796F9BA2}" = CCC Help Spanish
"{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}" = Junk Mail filter update
"{5A166C0B-9557-4364-A057-F946D674E6AC}" = Windows Live Mail
"{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD DX
"{6B96DADA-1A27-4A04-8CB2-CC45168D05FA}" = Windows Live Fotogalerie
"{73E8E831-160A-6E74-1AAA-AB698E1986BC}" = CCC Help Hungarian
"{76E29237-CCAB-CD1A-F8A1-6C3CFF002F26}" = Catalyst Control Center Graphics Previews Vista
"{7A33E298-5BEA-7C94-C512-1DF1C977537E}" = Catalyst Control Center Localization Italian
"{7BB045C3-D5E4-4620-B536-DC11AACD5942}" = Broadcom Management Programs
"{81821BF8-DA20-4F8C-AA87-F70A274828D4}" = Windows Live Writer
"{835686C5-8650-49EB-8CA0-4528B4035495}" = Windows Live Call
"{837B6259-6FF5-4E66-87C1-A5A15ED36FF4}" = Windows Live Messenger
"{83E2CFA9-E0EB-4E08-9F85-43E577FF3D60}" = Windows Live Anmelde-Assistent
"{83FFCFC7-88C6-41C6-8752-958A45325C82}" = Roxio Creator Audio
"{853026E0-CD36-1790-7988-194CADDDFB25}" = ccc-core-static
"{85DF2EED-08BC-46FB-90DA-28B0D0A8E8A8}" = HP Update
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8C1E2925-14F8-45AA-B999-1E2A74BF5607}" = Windows Live Sync
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Sonic CinePlayer Decoder Pack
"{8D8E6D0B-5A57-9ABD-AEA2-C0052401C5F6}" = Catalyst Control Center Localization Chinese Traditional
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_HOMESTUDENTR_{928D7B99-2BEA-49F9-83B8-20FA57860643}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_HOMESTUDENTR_{A23BFC95-4A73-410F-9248-4C2B48E38C49}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_HOMESTUDENTR_{A6353E8F-5B8D-47CC-8737-DFF032ED3973}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
"{90120000-00A1-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95E52415-B952-B013-A2AD-5163896D8B9C}" = Catalyst Control Center Graphics Full New
"{9813D8C7-92E3-4C20-83FA-CCB4ED4605AD}" = Studie zur Verbesserung von HP Officejet 6600 Produkten
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A1E79477-B730-7E48-7EFF-0D1CB3202933}" = Catalyst Control Center Graphics Previews Common
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.3) - Deutsch
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B25E016C-44C2-856A-98A8-789D1E2B1C56}" = Catalyst Control Center Graphics Light
"{B463BAAF-A379-AAF1-8979-6ED69C25ED37}" = Catalyst Control Center Localization Japanese
"{B6CF1DB0-09E8-0A2E-A510-1F2F8BDE5ECF}" = CCC Help Italian
"{BC60B681-C3A3-0363-DA09-FA9706ED9680}" = CCC Help Chinese Standard
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{BE09DD64-706D-4975-8034-E561C270D1E5}" = HP Officejet 6600 - Grundlegende Software für das Gerät
"{BECDD3A4-FEEC-9804-4782-F31A8A842361}" = CCC Help English
"{C022906C-A509-33D1-E42B-FF92F8E7BED4}" = Catalyst Control Center Core Implementation
"{C818BA3A-226F-4ED0-9CEF-96A0DF300211}" = HP Officejet 6600 Hilfe
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CA6BCA2F-EDEB-408F-850B-31404BE16A61}" = I.R.I.S. OCR
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CFADE4AF-C0CF-4A04-A776-741318F1658F}" = Content Transfer
"{D035A6CA-E9DD-4B40-66F8-15842888E447}" = Catalyst Control Center Localization French
"{D6C3C9E7-D334-4918-BD57-5B1EF14C207D}" = Bing Bar
"{DF5F687F-8018-4542-9F98-7084E9022917}" = Windows Live Essentials
"{E453921D-30B6-7692-179C-6F6112F18F81}" = Catalyst Control Center Localization Chinese Standard
"{EA853B19-A618-8D18-F4A4-6B96083DC3A3}" = Catalyst Control Center Localization Korean
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{F69E83CF-B440-43F8-89E6-6EA80712109B}" = Windows Live Communications Platform
"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{FD023F61-65E9-465C-B558-7C64EB2B97E6}" = Dell Handbuch zum Einstieg
"{FE46238E-2FB4-C9E1-323D-AD0DA64BED91}" = Catalyst Control Center Localization German
"{FFC59020-35A5-4856-B0FB-23B95D6C2976}" = CCC Help French
"Adobe Acrobat 4.0" = Adobe Acrobat 4.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Avira AntiVir Desktop" = Avira Free Antivirus
"Banana50_is1" = Banana Buchhaltung 5.0
"CutePDF Writer Installation" = CutePDF Writer 2.5
"GnuCash_is1" = GnuCash 2.4.0
"Google Chrome" = Google Chrome
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Second Copy 8_is1" = Second Copy 8
"WinLiveSuite_Wave3" = Windows Live Essentials
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 24.06.2012 16:48:20 | Computer Name = Desktop | Source = WinMgmt | ID = 10
Description =
Error - 24.06.2012 16:51:55 | Computer Name = Desktop | Source = Microsoft-Windows-CAPI2 | ID = 131585
Description =
Error - 24.06.2012 16:56:37 | Computer Name = Desktop | Source = EventSystem | ID = 4621
Description =
Error - 25.06.2012 16:16:13 | Computer Name = Desktop | Source = WinMgmt | ID = 10
Description =
Error - 25.06.2012 16:59:42 | Computer Name = Desktop | Source = EventSystem | ID = 4621
Description =
Error - 26.06.2012 14:39:05 | Computer Name = Desktop | Source = WinMgmt | ID = 10
Description =
Error - 26.06.2012 14:43:41 | Computer Name = Desktop | Source = Microsoft-Windows-CAPI2 | ID = 131585
Description =
Error - 26.06.2012 16:31:53 | Computer Name = Desktop | Source = EventSystem | ID = 4621
Description =
Error - 27.06.2012 13:31:06 | Computer Name = Desktop | Source = WinMgmt | ID = 10
Description =
Error - 27.06.2012 13:57:42 | Computer Name = Desktop | Source = Microsoft-Windows-CAPI2 | ID = 131585
Description =
[ OSession Events ]
Error - 16.09.2010 14:50:08 | Computer Name = Desktop | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6535.5002, Microsoft Office Version: 12.0.6425.1000. This session lasted 1256
seconds with 1020 seconds of active time. This session ended with a crash.
[ System Events ]
Error - 21.09.2009 12:42:22 | Computer Name = Desktop | Source = Dhcp | ID = 1002
Description = Die IP-Adresslease 192.168.100.10 für die Netzwerkkarte mit der Netzwerkadresse
0023AE7E5489 wurde durch den DHCP-Server 212.4.65.41 abgelehnt (der DHCP-Server
hat eine DHCPNACK-Meldung gesendet).
Error - 23.09.2009 06:32:42 | Computer Name = Desktop | Source = HTTP | ID = 15016
Description =
Error - 24.09.2009 06:28:16 | Computer Name = Desktop | Source = HTTP | ID = 15016
Description =
Error - 24.09.2009 06:28:17 | Computer Name = Desktop | Source = Microsoft-Windows-ResourcePublication | ID = 1002
Description =
Error - 24.09.2009 06:28:46 | Computer Name = Desktop | Source = Dhcp | ID = 1000
Description = Die Lease dieses Computers zu der IP-Adresse 192.168.100.10 über die
Netzwerkkarte mit der Netzwerkadresse 0023AE7E5489 ist verloren gegangen.
Error - 26.09.2009 01:09:53 | Computer Name = Desktop | Source = HTTP | ID = 15016
Description =
Error - 26.09.2009 06:40:36 | Computer Name = Desktop | Source = HTTP | ID = 15016
Description =
Error - 27.09.2009 08:19:07 | Computer Name = Desktop | Source = HTTP | ID = 15016
Description =
Error - 27.09.2009 08:19:38 | Computer Name = Desktop | Source = Dhcp | ID = 1000
Description = Die Lease dieses Computers zu der IP-Adresse 192.168.100.10 über die
Netzwerkkarte mit der Netzwerkadresse 0023AE7E5489 ist verloren gegangen.
Error - 27.09.2009 09:23:23 | Computer Name = Desktop | Source = HTTP | ID = 15016
Description =
< End of report >
Ich hoffe mir kann bald jemand helfen und schon im Voraus vielen Dank. Freundliche Grüsse aus der Schweiz Hi Habe noch das Logfile von Malwarebyte's vergessen: Code:
ATTFilter Malwarebytes' Anti-Malware
www.malwarebytes.org
Database version:
Windows 5.1.2600
Internet Explorer 6.0.2800.5512
2012-07-16 16:44:48
mbam-log-2012-07-16 (16-44-48).txt
Scan type: Full scan (C:\|)
Objects scanned: 220243
Time elapsed: 39 minute(s), 27 second(s)
Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
x:\I386\System32\keybtray.exe (Malware.Packer.Gen) -> 1600 -> Unloaded process successfully.
b:\Temp\HBCD\Opera\opera.exe (Trojan.Downloader) -> 1176 -> Unloaded process successfully.
Memory Modules Infected:
x:\I386\System32\wzcsvc.dll (Trojan.FakeAV) -> Delete on reboot.
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (PUM.Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
x:\I386\System32\wzcsvc.dll (Trojan.FakeAV) -> Quarantined and deleted successfully.
x:\I386\System32\keybtray.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
b:\Temp\HBCD\Opera\opera.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{5f4ba4dc-7d04-4c2e-b6d6-dace4482af30}\RP103\A0016133.exe (Spyware.Agent) -> Quarantined and deleted successfully.
x:\I386\System32\sfcfiles.dll (Trojan.Patched) -> Quarantined and deleted successfully.
Geändert von burger-inf (17.07.2012 um 08:48 Uhr) |
|
17.07.2012, 16:51
| #2 |
| /// Malware-holic   | Suisa - Symptome bereits entfernt hi
__________________wie hast du den Malwarebytes scan ausgeführt, irgendwie stimmen die infos da nicht wirklich überein mit deinem system
__________________ |
|
18.07.2012, 07:24
| #3 |
| | Suisa - Symptome bereits entfernt Hi
__________________Am Anfang hat nichts funktioniert, also habe ich von einer CD gebootet (Hirens Boot CD) und Malwarebyte's von dort aus die Harddisk des Computers scannen lassen. Von diesem Zeitpunkt an komme ich auch wieder auf den Computer - keine Aufforderung zur Zahlung wegen illegal heruntergeladener Daten Freundliche Grüsse aus der Schweiz Geändert von burger-inf (18.07.2012 um 07:37 Uhr) |
|
19.07.2012, 10:30
| #4 |
| | Suisa - Symptome bereits entfernt Hi Hab nochmal gescannt weil irgendetwas ja nicht stimmt bei den vorherigen Logs. Malwarebyte's: Code:
ATTFilter Malwarebytes Anti-Malware (Test) 1.61.0.1400 www.malwarebytes.org Datenbank Version: v2012.04.04.08 Windows Vista Service Pack 2 x86 NTFS Internet Explorer 9.0.8112.16421 Bruno Bucher :: DESKTOP [Administrator] Schutz: Aktiviert 19.07.2012 08:19:37 mbam-log-2012-07-19 (08-19-37).txt Art des Suchlaufs: Vollständiger Suchlauf Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 340744 Laufzeit: 56 Minute(n), 27 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 0 (Keine bösartigen Objekte gefunden) (Ende) Code:
ATTFilter GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-07-18 15:29:46
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3160815AS rev.4.ADA
Running: q803md3v.exe; Driver: C:\Users\BRUNOB~1\AppData\Local\Temp\fxldapoc.sys
---- System - GMER 1.0.15 ----
SSDT 8BB92506 ZwCreateSection
SSDT 8BB92510 ZwRequestWaitReplyPort
SSDT 8BB9250B ZwSetContextThread
SSDT 8BB92515 ZwSetSecurityObject
SSDT 8BB9251A ZwSystemDebugControl
SSDT 8BB924A7 ZwTerminateProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 215 850C98D8 4 Bytes [06, 25, B9, 8B]
.text ntkrnlpa.exe!KeSetEvent + 539 850C9BFC 4 Bytes [10, 25, B9, 8B]
.text ntkrnlpa.exe!KeSetEvent + 56D 850C9C30 4 Bytes [0B, 25, B9, 8B]
.text ntkrnlpa.exe!KeSetEvent + 5D1 850C9C94 4 Bytes [15, 25, B9, 8B]
.text ntkrnlpa.exe!KeSetEvent + 619 850C9CDC 4 Bytes [1A, 25, B9, 8B]
.text ...
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8EE0F000, 0x1F8A4C, 0xE8000020]
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\Explorer.EXE[1616] ntdll.dll!NtCreateFile 77684244 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[1616] ntdll.dll!NtCreateFile + 4 77684248 2 Bytes [86, 71]
.text C:\Windows\Explorer.EXE[1616] ntdll.dll!NtDeleteValueKey 77684664 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[1616] ntdll.dll!NtDeleteValueKey + 4 77684668 2 Bytes [8C, 71]
.text C:\Windows\Explorer.EXE[1616] ntdll.dll!NtOpenFile 77684A24 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[1616] ntdll.dll!NtOpenFile + 4 77684A28 2 Bytes [83, 71]
.text C:\Windows\Explorer.EXE[1616] ntdll.dll!NtOpenProcess 77684AA4 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[1616] ntdll.dll!NtOpenProcess + 4 77684AA8 2 Bytes [89, 71]
.text C:\Windows\Explorer.EXE[1616] ntdll.dll!NtSetContextThread 77685094 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[1616] ntdll.dll!NtSetContextThread + 4 77685098 2 Bytes [80, 71]
.text C:\Windows\Explorer.EXE[1616] ntdll.dll!NtSetValueKey 776852C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[1616] ntdll.dll!NtSetValueKey + 4 776852C8 2 Bytes [8F, 71]
.text C:\Windows\Explorer.EXE[1616] kernel32.dll!LoadLibraryExW + 173 763C93EF 4 Bytes JMP 71AF000A
.text C:\Windows\Explorer.EXE[1616] ADVAPI32.dll!CreateServiceW 765E9EB4 6 Bytes JMP 7193000A
.text C:\Windows\Explorer.EXE[1616] ADVAPI32.dll!CreateServiceA 766272A1 6 Bytes JMP 7196000A
.text C:\Windows\Explorer.EXE[1616] USER32.dll!PostMessageA 7614F8F8 6 Bytes JMP 719C000A
.text C:\Windows\Explorer.EXE[1616] USER32.dll!SendMessageA 7614F956 6 Bytes JMP 71A2000A
.text C:\Windows\Explorer.EXE[1616] USER32.dll!PostMessageW 7615A175 6 Bytes JMP 7199000A
.text C:\Windows\Explorer.EXE[1616] USER32.dll!SendMessageW 76160AED 6 Bytes JMP 719F000A
.text C:\Windows\Explorer.EXE[1616] USER32.dll!mouse_event 7617044E 6 Bytes JMP 71AB000A
.text C:\Windows\Explorer.EXE[1616] USER32.dll!SendInput 76172F75 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[1616] USER32.dll!SendInput + 4 76172F79 2 Bytes [A4, 71]
.text C:\Windows\Explorer.EXE[1616] USER32.dll!keybd_event 7619D972 6 Bytes JMP 71A8000A
.text C:\Windows\Explorer.EXE[1616] WS2_32.dll!GetAddrInfoW 75EC3D12 6 Bytes JMP 716C000A
.text C:\Windows\Explorer.EXE[1616] WS2_32.dll!connect 75EC40D9 6 Bytes JMP 7175000A
.text C:\Windows\Explorer.EXE[1616] WS2_32.dll!listen 75EC8CD7 6 Bytes JMP 7172000A
.text C:\Windows\Explorer.EXE[1616] WS2_32.dll!gethostbyname 75ED62D4 6 Bytes JMP 716F000A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1684] ntdll.dll!NtCreateFile 77684244 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1684] ntdll.dll!NtCreateFile + 4 77684248 2 Bytes [86, 71]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1684] ntdll.dll!NtDeleteValueKey 77684664 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1684] ntdll.dll!NtDeleteValueKey + 4 77684668 2 Bytes [8C, 71]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1684] ntdll.dll!NtOpenFile 77684A24 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1684] ntdll.dll!NtOpenFile + 4 77684A28 2 Bytes [83, 71]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1684] ntdll.dll!NtOpenProcess 77684AA4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1684] ntdll.dll!NtOpenProcess + 4 77684AA8 2 Bytes [89, 71]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1684] ntdll.dll!NtSetContextThread 77685094 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1684] ntdll.dll!NtSetContextThread + 4 77685098 2 Bytes [80, 71]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1684] ntdll.dll!NtSetValueKey 776852C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1684] ntdll.dll!NtSetValueKey + 4 776852C8 2 Bytes [8F, 71]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1684] KERNEL32.dll!LoadLibraryExW + 173 763C93EF 4 Bytes JMP 71AF000A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1684] USER32.dll!PostMessageA 7614F8F8 6 Bytes JMP 719C000A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1684] USER32.dll!SendMessageA 7614F956 6 Bytes JMP 71A2000A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1684] USER32.dll!PostMessageW 7615A175 6 Bytes JMP 7199000A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1684] USER32.dll!SendMessageW 76160AED 6 Bytes JMP 719F000A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1684] USER32.dll!mouse_event 7617044E 6 Bytes JMP 71AB000A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1684] USER32.dll!SendInput 76172F75 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1684] USER32.dll!SendInput + 4 76172F79 2 Bytes [A4, 71]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1684] USER32.dll!keybd_event 7619D972 6 Bytes JMP 71A8000A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1684] ADVAPI32.dll!CreateServiceW 765E9EB4 6 Bytes JMP 7193000A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1684] ADVAPI32.dll!CreateServiceA 766272A1 6 Bytes JMP 7196000A
.text C:\Windows\System32\mobsync.exe[2024] ntdll.dll!NtCreateFile 77684244 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\mobsync.exe[2024] ntdll.dll!NtCreateFile + 4 77684248 2 Bytes [86, 71]
.text C:\Windows\System32\mobsync.exe[2024] ntdll.dll!NtDeleteValueKey 77684664 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\mobsync.exe[2024] ntdll.dll!NtDeleteValueKey + 4 77684668 2 Bytes [8C, 71]
.text C:\Windows\System32\mobsync.exe[2024] ntdll.dll!NtOpenFile 77684A24 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\mobsync.exe[2024] ntdll.dll!NtOpenFile + 4 77684A28 2 Bytes [83, 71]
.text C:\Windows\System32\mobsync.exe[2024] ntdll.dll!NtOpenProcess 77684AA4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\mobsync.exe[2024] ntdll.dll!NtOpenProcess + 4 77684AA8 2 Bytes [89, 71]
.text C:\Windows\System32\mobsync.exe[2024] ntdll.dll!NtSetContextThread 77685094 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\mobsync.exe[2024] ntdll.dll!NtSetContextThread + 4 77685098 2 Bytes [80, 71]
.text C:\Windows\System32\mobsync.exe[2024] ntdll.dll!NtSetValueKey 776852C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\mobsync.exe[2024] ntdll.dll!NtSetValueKey + 4 776852C8 2 Bytes [8F, 71]
.text C:\Windows\System32\mobsync.exe[2024] kernel32.dll!LoadLibraryExW + 173 763C93EF 4 Bytes JMP 71AF000A
.text C:\Windows\System32\mobsync.exe[2024] ADVAPI32.dll!CreateServiceW 765E9EB4 6 Bytes JMP 7193000A
.text C:\Windows\System32\mobsync.exe[2024] ADVAPI32.dll!CreateServiceA 766272A1 6 Bytes JMP 7196000A
.text C:\Windows\System32\mobsync.exe[2024] USER32.dll!PostMessageA 7614F8F8 6 Bytes JMP 719C000A
.text C:\Windows\System32\mobsync.exe[2024] USER32.dll!SendMessageA 7614F956 6 Bytes JMP 71A2000A
.text C:\Windows\System32\mobsync.exe[2024] USER32.dll!PostMessageW 7615A175 6 Bytes JMP 7199000A
.text C:\Windows\System32\mobsync.exe[2024] USER32.dll!SendMessageW 76160AED 6 Bytes JMP 719F000A
.text C:\Windows\System32\mobsync.exe[2024] USER32.dll!mouse_event 7617044E 6 Bytes JMP 71AB000A
.text C:\Windows\System32\mobsync.exe[2024] USER32.dll!SendInput 76172F75 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\mobsync.exe[2024] USER32.dll!SendInput + 4 76172F79 2 Bytes [A4, 71]
.text C:\Windows\System32\mobsync.exe[2024] USER32.dll!keybd_event 7619D972 6 Bytes JMP 71A8000A
.text F:\Burger-inf\Suisa-Virus_Tools\q803md3v.exe[2068] ntdll.dll!NtCreateFile 77684244 3 Bytes [FF, 25, 1E]
.text F:\Burger-inf\Suisa-Virus_Tools\q803md3v.exe[2068] ntdll.dll!NtCreateFile + 4 77684248 2 Bytes [86, 71]
.text F:\Burger-inf\Suisa-Virus_Tools\q803md3v.exe[2068] ntdll.dll!NtDeleteValueKey 77684664 3 Bytes [FF, 25, 1E]
.text F:\Burger-inf\Suisa-Virus_Tools\q803md3v.exe[2068] ntdll.dll!NtDeleteValueKey + 4 77684668 2 Bytes [8C, 71]
.text F:\Burger-inf\Suisa-Virus_Tools\q803md3v.exe[2068] ntdll.dll!NtOpenFile 77684A24 3 Bytes [FF, 25, 1E]
.text F:\Burger-inf\Suisa-Virus_Tools\q803md3v.exe[2068] ntdll.dll!NtOpenFile + 4 77684A28 2 Bytes [83, 71]
.text F:\Burger-inf\Suisa-Virus_Tools\q803md3v.exe[2068] ntdll.dll!NtOpenProcess 77684AA4 3 Bytes [FF, 25, 1E]
.text F:\Burger-inf\Suisa-Virus_Tools\q803md3v.exe[2068] ntdll.dll!NtOpenProcess + 4 77684AA8 2 Bytes [89, 71]
.text F:\Burger-inf\Suisa-Virus_Tools\q803md3v.exe[2068] ntdll.dll!NtSetContextThread 77685094 3 Bytes [FF, 25, 1E]
.text F:\Burger-inf\Suisa-Virus_Tools\q803md3v.exe[2068] ntdll.dll!NtSetContextThread + 4 77685098 2 Bytes [80, 71]
.text F:\Burger-inf\Suisa-Virus_Tools\q803md3v.exe[2068] ntdll.dll!NtSetValueKey 776852C4 3 Bytes [FF, 25, 1E]
.text F:\Burger-inf\Suisa-Virus_Tools\q803md3v.exe[2068] ntdll.dll!NtSetValueKey + 4 776852C8 2 Bytes [8F, 71]
.text F:\Burger-inf\Suisa-Virus_Tools\q803md3v.exe[2068] kernel32.dll!LoadLibraryExW + 173 763C93EF 4 Bytes JMP 71AF000A
.text F:\Burger-inf\Suisa-Virus_Tools\q803md3v.exe[2068] USER32.dll!PostMessageA 7614F8F8 6 Bytes JMP 719C000A
.text F:\Burger-inf\Suisa-Virus_Tools\q803md3v.exe[2068] USER32.dll!SendMessageA 7614F956 6 Bytes JMP 71A2000A
.text F:\Burger-inf\Suisa-Virus_Tools\q803md3v.exe[2068] USER32.dll!PostMessageW 7615A175 6 Bytes JMP 7199000A
.text F:\Burger-inf\Suisa-Virus_Tools\q803md3v.exe[2068] USER32.dll!SendMessageW 76160AED 6 Bytes JMP 719F000A
.text F:\Burger-inf\Suisa-Virus_Tools\q803md3v.exe[2068] USER32.dll!mouse_event 7617044E 6 Bytes JMP 71AB000A
.text F:\Burger-inf\Suisa-Virus_Tools\q803md3v.exe[2068] USER32.dll!SendInput 76172F75 3 Bytes [FF, 25, 1E]
.text F:\Burger-inf\Suisa-Virus_Tools\q803md3v.exe[2068] USER32.dll!SendInput + 4 76172F79 2 Bytes [A4, 71]
.text F:\Burger-inf\Suisa-Virus_Tools\q803md3v.exe[2068] USER32.dll!keybd_event 7619D972 6 Bytes JMP 71A8000A
.text F:\Burger-inf\Suisa-Virus_Tools\q803md3v.exe[2068] ADVAPI32.dll!CreateServiceW 765E9EB4 6 Bytes JMP 7193000A
.text F:\Burger-inf\Suisa-Virus_Tools\q803md3v.exe[2068] ADVAPI32.dll!CreateServiceA 766272A1 6 Bytes JMP 7196000A
.text C:\Windows\system32\taskeng.exe[2356] ntdll.dll!NtCreateFile 77684244 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2356] ntdll.dll!NtCreateFile + 4 77684248 2 Bytes [86, 71]
.text C:\Windows\system32\taskeng.exe[2356] ntdll.dll!NtDeleteValueKey 77684664 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2356] ntdll.dll!NtDeleteValueKey + 4 77684668 2 Bytes [8C, 71]
.text C:\Windows\system32\taskeng.exe[2356] ntdll.dll!NtOpenFile 77684A24 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2356] ntdll.dll!NtOpenFile + 4 77684A28 2 Bytes [83, 71]
.text C:\Windows\system32\taskeng.exe[2356] ntdll.dll!NtOpenProcess 77684AA4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2356] ntdll.dll!NtOpenProcess + 4 77684AA8 2 Bytes [89, 71]
.text C:\Windows\system32\taskeng.exe[2356] ntdll.dll!NtSetContextThread 77685094 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2356] ntdll.dll!NtSetContextThread + 4 77685098 2 Bytes [80, 71]
.text C:\Windows\system32\taskeng.exe[2356] ntdll.dll!NtSetValueKey 776852C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2356] ntdll.dll!NtSetValueKey + 4 776852C8 2 Bytes [8F, 71]
.text C:\Windows\system32\taskeng.exe[2356] kernel32.dll!LoadLibraryExW + 173 763C93EF 4 Bytes JMP 71AF000A
.text C:\Windows\system32\taskeng.exe[2356] ADVAPI32.dll!CreateServiceW 765E9EB4 6 Bytes JMP 7193000A
.text C:\Windows\system32\taskeng.exe[2356] ADVAPI32.dll!CreateServiceA 766272A1 6 Bytes JMP 7196000A
.text C:\Windows\system32\taskeng.exe[2356] USER32.dll!PostMessageA 7614F8F8 6 Bytes JMP 719C000A
.text C:\Windows\system32\taskeng.exe[2356] USER32.dll!SendMessageA 7614F956 6 Bytes JMP 71A2000A
.text C:\Windows\system32\taskeng.exe[2356] USER32.dll!PostMessageW 7615A175 6 Bytes JMP 7199000A
.text C:\Windows\system32\taskeng.exe[2356] USER32.dll!SendMessageW 76160AED 6 Bytes JMP 719F000A
.text C:\Windows\system32\taskeng.exe[2356] USER32.dll!mouse_event 7617044E 6 Bytes JMP 71AB000A
.text C:\Windows\system32\taskeng.exe[2356] USER32.dll!SendInput 76172F75 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[2356] USER32.dll!SendInput + 4 76172F79 2 Bytes [A4, 71]
.text C:\Windows\system32\taskeng.exe[2356] USER32.dll!keybd_event 7619D972 6 Bytes JMP 71A8000A
.text C:\Windows\system32\taskeng.exe[2356] WS2_32.dll!GetAddrInfoW 75EC3D12 6 Bytes JMP 7175000A
.text C:\Windows\system32\taskeng.exe[2356] WS2_32.dll!connect 75EC40D9 6 Bytes JMP 717E000A
.text C:\Windows\system32\taskeng.exe[2356] WS2_32.dll!listen 75EC8CD7 6 Bytes JMP 717B000A
.text C:\Windows\system32\taskeng.exe[2356] WS2_32.dll!gethostbyname 75ED62D4 6 Bytes JMP 7178000A
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2644] ntdll.dll!NtCreateFile 77684244 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2644] ntdll.dll!NtCreateFile + 4 77684248 2 Bytes [86, 71]
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2644] ntdll.dll!NtDeleteValueKey 77684664 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2644] ntdll.dll!NtDeleteValueKey + 4 77684668 2 Bytes [8C, 71]
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2644] ntdll.dll!NtOpenFile 77684A24 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2644] ntdll.dll!NtOpenFile + 4 77684A28 2 Bytes [83, 71]
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2644] ntdll.dll!NtOpenProcess 77684AA4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2644] ntdll.dll!NtOpenProcess + 4 77684AA8 2 Bytes [89, 71]
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2644] ntdll.dll!NtSetContextThread 77685094 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2644] ntdll.dll!NtSetContextThread + 4 77685098 2 Bytes [80, 71]
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2644] ntdll.dll!NtSetValueKey 776852C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2644] ntdll.dll!NtSetValueKey + 4 776852C8 2 Bytes [8F, 71]
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2644] kernel32.dll!LoadLibraryExW + 173 763C93EF 4 Bytes JMP 71AF000A
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2644] USER32.dll!PostMessageA 7614F8F8 6 Bytes JMP 719C000A
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2644] USER32.dll!SendMessageA 7614F956 6 Bytes JMP 71A2000A
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2644] USER32.dll!PostMessageW 7615A175 6 Bytes JMP 7199000A
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2644] USER32.dll!SendMessageW 76160AED 6 Bytes JMP 719F000A
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2644] USER32.dll!mouse_event 7617044E 6 Bytes JMP 71AB000A
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2644] USER32.dll!SendInput 76172F75 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2644] USER32.dll!SendInput + 4 76172F79 2 Bytes [A4, 71]
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2644] USER32.dll!keybd_event 7619D972 6 Bytes JMP 71A8000A
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2644] ADVAPI32.dll!CreateServiceW 765E9EB4 6 Bytes JMP 7193000A
.text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[2644] ADVAPI32.dll!CreateServiceA 766272A1 6 Bytes JMP 7196000A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] ntdll.dll!NtCreateFile 77684244 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] ntdll.dll!NtCreateFile + 4 77684248 2 Bytes [86, 71]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] ntdll.dll!NtDeleteValueKey 77684664 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] ntdll.dll!NtDeleteValueKey + 4 77684668 2 Bytes [8C, 71]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] ntdll.dll!NtOpenFile 77684A24 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] ntdll.dll!NtOpenFile + 4 77684A28 2 Bytes [83, 71]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] ntdll.dll!NtOpenProcess 77684AA4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] ntdll.dll!NtOpenProcess + 4 77684AA8 2 Bytes [89, 71]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] ntdll.dll!NtSetContextThread 77685094 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] ntdll.dll!NtSetContextThread + 4 77685098 2 Bytes [80, 71]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] ntdll.dll!NtSetValueKey 776852C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] ntdll.dll!NtSetValueKey + 4 776852C8 2 Bytes [8F, 71]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] kernel32.dll!LoadLibraryExW + 173 763C93EF 4 Bytes JMP 71AF000A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] USER32.dll!PostMessageA 7614F8F8 6 Bytes JMP 719C000A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] USER32.dll!SendMessageA 7614F956 6 Bytes JMP 71A2000A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] USER32.dll!PostMessageW 7615A175 6 Bytes JMP 7199000A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] USER32.dll!SendMessageW 76160AED 6 Bytes JMP 719F000A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] USER32.dll!mouse_event 7617044E 6 Bytes JMP 71AB000A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] USER32.dll!SendInput 76172F75 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] USER32.dll!SendInput + 4 76172F79 2 Bytes [A4, 71]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] USER32.dll!keybd_event 7619D972 6 Bytes JMP 71A8000A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] ADVAPI32.dll!CreateServiceW 765E9EB4 6 Bytes JMP 7193000A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] ADVAPI32.dll!CreateServiceA 766272A1 6 Bytes JMP 7196000A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] WS2_32.dll!GetAddrInfoW 75EC3D12 6 Bytes JMP 7175000A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] WS2_32.dll!connect 75EC40D9 6 Bytes JMP 717E000A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] WS2_32.dll!listen 75EC8CD7 6 Bytes JMP 717B000A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2676] WS2_32.dll!gethostbyname 75ED62D4 6 Bytes JMP 7178000A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] ntdll.dll!NtCreateFile 77684244 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] ntdll.dll!NtCreateFile + 4 77684248 2 Bytes [86, 71]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] ntdll.dll!NtDeleteValueKey 77684664 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] ntdll.dll!NtDeleteValueKey + 4 77684668 2 Bytes [8C, 71]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] ntdll.dll!NtOpenFile 77684A24 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] ntdll.dll!NtOpenFile + 4 77684A28 2 Bytes [83, 71]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] ntdll.dll!NtOpenProcess 77684AA4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] ntdll.dll!NtOpenProcess + 4 77684AA8 2 Bytes [89, 71]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] ntdll.dll!NtSetContextThread 77685094 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] ntdll.dll!NtSetContextThread + 4 77685098 2 Bytes [80, 71]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] ntdll.dll!NtSetValueKey 776852C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] ntdll.dll!NtSetValueKey + 4 776852C8 2 Bytes [8F, 71]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] kernel32.dll!LoadLibraryExW + 173 763C93EF 4 Bytes JMP 71AF000A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] ADVAPI32.dll!CreateServiceW 765E9EB4 6 Bytes JMP 7193000A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] ADVAPI32.dll!CreateServiceA 766272A1 6 Bytes JMP 7196000A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] USER32.dll!PostMessageA 7614F8F8 6 Bytes JMP 719C000A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] USER32.dll!SendMessageA 7614F956 6 Bytes JMP 71A2000A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] USER32.dll!PostMessageW 7615A175 6 Bytes JMP 7199000A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] USER32.dll!SendMessageW 76160AED 6 Bytes JMP 719F000A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] USER32.dll!mouse_event 7617044E 6 Bytes JMP 71AB000A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] USER32.dll!SendInput 76172F75 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] USER32.dll!SendInput + 4 76172F79 2 Bytes [A4, 71]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] USER32.dll!keybd_event 7619D972 6 Bytes JMP 71A8000A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] WS2_32.dll!GetAddrInfoW 75EC3D12 6 Bytes JMP 7175000A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] WS2_32.dll!connect 75EC40D9 6 Bytes JMP 717E000A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] WS2_32.dll!listen 75EC8CD7 6 Bytes JMP 717B000A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3048] WS2_32.dll!gethostbyname 75ED62D4 6 Bytes JMP 7178000A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3276] ntdll.dll!NtCreateFile 77684244 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3276] ntdll.dll!NtCreateFile + 4 77684248 2 Bytes [80, 71]
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3276] ntdll.dll!NtDeleteValueKey 77684664 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3276] ntdll.dll!NtDeleteValueKey + 4 77684668 2 Bytes [86, 71]
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3276] ntdll.dll!NtOpenFile 77684A24 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3276] ntdll.dll!NtOpenFile + 4 77684A28 2 Bytes [7D, 71] {JGE 0x73}
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3276] ntdll.dll!NtOpenProcess 77684AA4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3276] ntdll.dll!NtOpenProcess + 4 77684AA8 2 Bytes [83, 71]
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3276] ntdll.dll!NtSetContextThread 77685094 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3276] ntdll.dll!NtSetContextThread + 4 77685098 2 Bytes [7A, 71] {JP 0x73}
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3276] ntdll.dll!NtSetValueKey 776852C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3276] ntdll.dll!NtSetValueKey + 4 776852C8 2 Bytes [89, 71]
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3276] kernel32.dll!LoadLibraryExW + 173 763C93EF 4 Bytes JMP 71AF000A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3276] ADVAPI32.dll!CreateServiceW 765E9EB4 6 Bytes JMP 718D000A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3276] ADVAPI32.dll!CreateServiceA 766272A1 6 Bytes JMP 7190000A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3276] USER32.dll!PostMessageA 7614F8F8 6 Bytes JMP 7196000A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3276] USER32.dll!SendMessageA 7614F956 6 Bytes JMP 719C000A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3276] USER32.dll!PostMessageW 7615A175 6 Bytes JMP 7193000A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3276] USER32.dll!SendMessageW 76160AED 6 Bytes JMP 7199000A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3276] USER32.dll!mouse_event 7617044E 6 Bytes JMP 71A5000A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3276] USER32.dll!SendInput 76172F75 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3276] USER32.dll!SendInput + 4 76172F79 2 Bytes [9E, 71]
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3276] USER32.dll!keybd_event 7619D972 6 Bytes JMP 71A2000A
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] ntdll.dll!NtCreateFile 77684244 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] ntdll.dll!NtCreateFile + 4 77684248 2 Bytes [7A, 71] {JP 0x73}
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] ntdll.dll!NtDeleteValueKey 77684664 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] ntdll.dll!NtDeleteValueKey + 4 77684668 2 Bytes [80, 71]
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] ntdll.dll!NtOpenFile 77684A24 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] ntdll.dll!NtOpenFile + 4 77684A28 2 Bytes [77, 71] {JA 0x73}
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] ntdll.dll!NtOpenProcess 77684AA4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] ntdll.dll!NtOpenProcess + 4 77684AA8 2 Bytes [7D, 71] {JGE 0x73}
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] ntdll.dll!NtSetContextThread 77685094 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] ntdll.dll!NtSetContextThread + 4 77685098 2 Bytes [74, 71] {JZ 0x73}
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] ntdll.dll!NtSetValueKey 776852C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] ntdll.dll!NtSetValueKey + 4 776852C8 2 Bytes [83, 71]
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] kernel32.dll!LoadLibraryExW + 173 763C93EF 4 Bytes JMP 71AF000A
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] ADVAPI32.dll!CreateServiceW 765E9EB4 6 Bytes JMP 7187000A
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] ADVAPI32.dll!CreateServiceA 766272A1 6 Bytes JMP 718A000A
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] USER32.dll!PostMessageA 7614F8F8 6 Bytes JMP 7190000A
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] USER32.dll!SendMessageA 7614F956 6 Bytes JMP 7196000A
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] USER32.dll!PostMessageW 7615A175 6 Bytes JMP 718D000A
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] USER32.dll!SendMessageW 76160AED 6 Bytes JMP 7193000A
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] USER32.dll!mouse_event 7617044E 6 Bytes JMP 719F000A
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] USER32.dll!SendInput 76172F75 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] USER32.dll!SendInput + 4 76172F79 2 Bytes [98, 71]
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] USER32.dll!keybd_event 7619D972 6 Bytes JMP 719C000A
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] WS2_32.dll!GetAddrInfoW 75EC3D12 6 Bytes JMP 71A2000A
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] WS2_32.dll!connect 75EC40D9 6 Bytes JMP 71AB000A
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] WS2_32.dll!listen 75EC8CD7 6 Bytes JMP 71A8000A
.text C:\Program Files\Windows Sidebar\sidebar.exe[3304] WS2_32.dll!gethostbyname 75ED62D4 6 Bytes JMP 71A5000A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3312] ntdll.dll!NtCreateFile 77684244 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3312] ntdll.dll!NtCreateFile + 4 77684248 2 Bytes [86, 71]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3312] ntdll.dll!NtDeleteValueKey 77684664 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3312] ntdll.dll!NtDeleteValueKey + 4 77684668 2 Bytes [8C, 71]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3312] ntdll.dll!NtOpenFile 77684A24 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3312] ntdll.dll!NtOpenFile + 4 77684A28 2 Bytes [83, 71]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3312] ntdll.dll!NtOpenProcess 77684AA4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3312] ntdll.dll!NtOpenProcess + 4 77684AA8 2 Bytes [89, 71]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3312] ntdll.dll!NtSetContextThread 77685094 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3312] ntdll.dll!NtSetContextThread + 4 77685098 2 Bytes [80, 71]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3312] ntdll.dll!NtSetValueKey 776852C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3312] ntdll.dll!NtSetValueKey + 4 776852C8 2 Bytes [8F, 71]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3312] KERNEL32.dll!LoadLibraryExW + 173 763C93EF 4 Bytes JMP 71AF000A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3312] USER32.dll!PostMessageA 7614F8F8 6 Bytes JMP 719C000A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3312] USER32.dll!SendMessageA 7614F956 6 Bytes JMP 71A2000A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3312] USER32.dll!PostMessageW 7615A175 6 Bytes JMP 7199000A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3312] USER32.dll!SendMessageW 76160AED 6 Bytes JMP 719F000A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3312] USER32.dll!mouse_event 7617044E 6 Bytes JMP 71AB000A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3312] USER32.dll!SendInput 76172F75 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3312] USER32.dll!SendInput + 4 76172F79 2 Bytes [A4, 71]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3312] USER32.dll!keybd_event 7619D972 6 Bytes JMP 71A8000A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3312] ADVAPI32.dll!CreateServiceW 765E9EB4 6 Bytes JMP 7193000A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3312] ADVAPI32.dll!CreateServiceA 766272A1 6 Bytes JMP 7196000A
.text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[3376] ntdll.dll!NtCreateFile 77684244 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[3376] ntdll.dll!NtCreateFile + 4 77684248 2 Bytes [86, 71]
.text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[3376] ntdll.dll!NtDeleteValueKey 77684664 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[3376] ntdll.dll!NtDeleteValueKey + 4 77684668 2 Bytes [8C, 71]
.text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[3376] ntdll.dll!NtOpenFile 77684A24 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[3376] ntdll.dll!NtOpenFile + 4 77684A28 2 Bytes [83, 71]
.text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[3376] ntdll.dll!NtOpenProcess 77684AA4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[3376] ntdll.dll!NtOpenProcess + 4 77684AA8 2 Bytes [89, 71]
.text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[3376] ntdll.dll!NtSetContextThread 77685094 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[3376] ntdll.dll!NtSetContextThread + 4 77685098 2 Bytes [80, 71]
.text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[3376] ntdll.dll!NtSetValueKey 776852C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[3376] ntdll.dll!NtSetValueKey + 4 776852C8 2 Bytes [8F, 71]
.text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[3376] kernel32.dll!LoadLibraryExW + 173 763C93EF 4 Bytes JMP 71AF000A
.text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[3376] USER32.dll!PostMessageA 7614F8F8 6 Bytes JMP 719C000A
.text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[3376] USER32.dll!SendMessageA 7614F956 6 Bytes JMP 71A2000A
.text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[3376] USER32.dll!PostMessageW 7615A175 6 Bytes JMP 7199000A
.text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[3376] USER32.dll!SendMessageW 76160AED 6 Bytes JMP 719F000A
.text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[3376] USER32.dll!mouse_event 7617044E 6 Bytes JMP 71AB000A
.text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[3376] USER32.dll!SendInput 76172F75 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[3376] USER32.dll!SendInput + 4 76172F79 2 Bytes [A4, 71]
.text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[3376] USER32.dll!keybd_event 7619D972 6 Bytes JMP 71A8000A
.text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[3376] ADVAPI32.dll!CreateServiceW 765E9EB4 6 Bytes JMP 7193000A
.text C:\Program Files\HP\HP Software Update\hpwuschd2.exe[3376] ADVAPI32.dll!CreateServiceA 766272A1 6 Bytes JMP 7196000A
.text C:\Windows\system32\Dwm.exe[3416] ntdll.dll!NtCreateFile 77684244 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[3416] ntdll.dll!NtCreateFile + 4 77684248 2 Bytes [86, 71]
.text C:\Windows\system32\Dwm.exe[3416] ntdll.dll!NtDeleteValueKey 77684664 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[3416] ntdll.dll!NtDeleteValueKey + 4 77684668 2 Bytes [8C, 71]
.text C:\Windows\system32\Dwm.exe[3416] ntdll.dll!NtOpenFile 77684A24 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[3416] ntdll.dll!NtOpenFile + 4 77684A28 2 Bytes [83, 71]
.text C:\Windows\system32\Dwm.exe[3416] ntdll.dll!NtOpenProcess 77684AA4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[3416] ntdll.dll!NtOpenProcess + 4 77684AA8 2 Bytes [89, 71]
.text C:\Windows\system32\Dwm.exe[3416] ntdll.dll!NtSetContextThread 77685094 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[3416] ntdll.dll!NtSetContextThread + 4 77685098 2 Bytes [80, 71]
.text C:\Windows\system32\Dwm.exe[3416] ntdll.dll!NtSetValueKey 776852C4 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[3416] ntdll.dll!NtSetValueKey + 4 776852C8 2 Bytes [8F, 71]
.text C:\Windows\system32\Dwm.exe[3416] kernel32.dll!LoadLibraryExW + 173 763C93EF 4 Bytes JMP 71AF000A
.text C:\Windows\system32\Dwm.exe[3416] ADVAPI32.dll!CreateServiceW 765E9EB4 6 Bytes JMP 7193000A
.text C:\Windows\system32\Dwm.exe[3416] ADVAPI32.dll!CreateServiceA 766272A1 6 Bytes JMP 7196000A
.text C:\Windows\system32\Dwm.exe[3416] USER32.dll!PostMessageA 7614F8F8 6 Bytes JMP 719C000A
.text C:\Windows\system32\Dwm.exe[3416] USER32.dll!SendMessageA 7614F956 6 Bytes JMP 71A2000A
.text C:\Windows\system32\Dwm.exe[3416] USER32.dll!PostMessageW 7615A175 6 Bytes JMP 7199000A
.text C:\Windows\system32\Dwm.exe[3416] USER32.dll!SendMessageW 76160AED 6 Bytes JMP 719F000A
.text C:\Windows\system32\Dwm.exe[3416] USER32.dll!mouse_event 7617044E 6 Bytes JMP 71AB000A
.text C:\Windows\system32\Dwm.exe[3416] USER32.dll!SendInput 76172F75 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[3416] USER32.dll!SendInput + 4 76172F79 2 Bytes [A4, 71]
.text C:\Windows\system32\Dwm.exe[3416] USER32.dll!keybd_event 7619D972 6 Bytes JMP 71A8000A
.text C:\Windows\system32\Dwm.exe[3416] WS2_32.dll!GetAddrInfoW 75EC3D12 6 Bytes JMP 7175000A
.text C:\Windows\system32\Dwm.exe[3416] WS2_32.dll!connect 75EC40D9 6 Bytes JMP 717E000A
.text C:\Windows\system32\Dwm.exe[3416] WS2_32.dll!listen 75EC8CD7 6 Bytes JMP 717B000A
.text C:\Windows\system32\Dwm.exe[3416] WS2_32.dll!gethostbyname 75ED62D4 6 Bytes JMP 7178000A
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[3584] ntdll.dll!NtCreateFile 77684244 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[3584] ntdll.dll!NtCreateFile + 4 77684248 2 Bytes [86, 71]
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[3584] ntdll.dll!NtDeleteValueKey 77684664 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[3584] ntdll.dll!NtDeleteValueKey + 4 77684668 2 Bytes [8C, 71]
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[3584] ntdll.dll!NtOpenFile 77684A24 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[3584] ntdll.dll!NtOpenFile + 4 77684A28 2 Bytes [83, 71]
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[3584] ntdll.dll!NtOpenProcess 77684AA4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[3584] ntdll.dll!NtOpenProcess + 4 77684AA8 2 Bytes [89, 71]
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[3584] ntdll.dll!NtSetContextThread 77685094 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[3584] ntdll.dll!NtSetContextThread + 4 77685098 2 Bytes [80, 71]
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[3584] ntdll.dll!NtSetValueKey 776852C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[3584] ntdll.dll!NtSetValueKey + 4 776852C8 2 Bytes [8F, 71]
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[3584] kernel32.dll!LoadLibraryExW + 173 763C93EF 4 Bytes JMP 71AF000A
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[3584] USER32.dll!PostMessageA 7614F8F8 6 Bytes JMP 719C000A
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[3584] USER32.dll!SendMessageA 7614F956 6 Bytes JMP 71A2000A
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[3584] USER32.dll!PostMessageW 7615A175 6 Bytes JMP 7199000A
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[3584] USER32.dll!SendMessageW 76160AED 6 Bytes JMP 719F000A
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[3584] USER32.dll!mouse_event 7617044E 6 Bytes JMP 71AB000A
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[3584] USER32.dll!SendInput 76172F75 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[3584] USER32.dll!SendInput + 4 76172F79 2 Bytes [A4, 71]
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[3584] USER32.dll!keybd_event 7619D972 6 Bytes JMP 71A8000A
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[3584] ADVAPI32.dll!CreateServiceW 765E9EB4 6 Bytes JMP 7193000A
.text C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe[3584] ADVAPI32.dll!CreateServiceA 766272A1 6 Bytes JMP 7196000A
.text C:\Program Files\Windows Defender\MSASCui.exe[3612] ntdll.dll!NtCreateFile 77684244 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Defender\MSASCui.exe[3612] ntdll.dll!NtCreateFile + 4 77684248 2 Bytes [86, 71]
.text C:\Program Files\Windows Defender\MSASCui.exe[3612] ntdll.dll!NtDeleteValueKey 77684664 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Defender\MSASCui.exe[3612] ntdll.dll!NtDeleteValueKey + 4 77684668 2 Bytes [8C, 71]
.text C:\Program Files\Windows Defender\MSASCui.exe[3612] ntdll.dll!NtOpenFile 77684A24 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Defender\MSASCui.exe[3612] ntdll.dll!NtOpenFile + 4 77684A28 2 Bytes [83, 71]
.text C:\Program Files\Windows Defender\MSASCui.exe[3612] ntdll.dll!NtOpenProcess 77684AA4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Defender\MSASCui.exe[3612] ntdll.dll!NtOpenProcess + 4 77684AA8 2 Bytes [89, 71]
.text C:\Program Files\Windows Defender\MSASCui.exe[3612] ntdll.dll!NtSetContextThread 77685094 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Defender\MSASCui.exe[3612] ntdll.dll!NtSetContextThread + 4 77685098 2 Bytes [80, 71]
.text C:\Program Files\Windows Defender\MSASCui.exe[3612] ntdll.dll!NtSetValueKey 776852C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Defender\MSASCui.exe[3612] ntdll.dll!NtSetValueKey + 4 776852C8 2 Bytes [8F, 71]
.text C:\Program Files\Windows Defender\MSASCui.exe[3612] kernel32.dll!LoadLibraryExW + 173 763C93EF 4 Bytes JMP 71AF000A
.text C:\Program Files\Windows Defender\MSASCui.exe[3612] ADVAPI32.dll!CreateServiceW 765E9EB4 6 Bytes JMP 7193000A
.text C:\Program Files\Windows Defender\MSASCui.exe[3612] ADVAPI32.dll!CreateServiceA 766272A1 6 Bytes JMP 7196000A
.text C:\Program Files\Windows Defender\MSASCui.exe[3612] USER32.dll!PostMessageA 7614F8F8 6 Bytes JMP 719C000A
.text C:\Program Files\Windows Defender\MSASCui.exe[3612] USER32.dll!SendMessageA 7614F956 6 Bytes JMP 71A2000A
.text C:\Program Files\Windows Defender\MSASCui.exe[3612] USER32.dll!PostMessageW 7615A175 6 Bytes JMP 7199000A
.text C:\Program Files\Windows Defender\MSASCui.exe[3612] USER32.dll!SendMessageW 76160AED 6 Bytes JMP 719F000A
.text C:\Program Files\Windows Defender\MSASCui.exe[3612] USER32.dll!mouse_event 7617044E 6 Bytes JMP 71AB000A
.text C:\Program Files\Windows Defender\MSASCui.exe[3612] USER32.dll!SendInput 76172F75 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Defender\MSASCui.exe[3612] USER32.dll!SendInput + 4 76172F79 2 Bytes [A4, 71]
.text C:\Program Files\Windows Defender\MSASCui.exe[3612] USER32.dll!keybd_event 7619D972 6 Bytes JMP 71A8000A
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3816] ntdll.dll!NtCreateFile 77684244 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3816] ntdll.dll!NtCreateFile + 4 77684248 2 Bytes [86, 71]
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3816] ntdll.dll!NtDeleteValueKey 77684664 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3816] ntdll.dll!NtDeleteValueKey + 4 77684668 2 Bytes [8C, 71]
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3816] ntdll.dll!NtOpenFile 77684A24 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3816] ntdll.dll!NtOpenFile + 4 77684A28 2 Bytes [83, 71]
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3816] ntdll.dll!NtOpenProcess 77684AA4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3816] ntdll.dll!NtOpenProcess + 4 77684AA8 2 Bytes [89, 71]
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3816] ntdll.dll!NtSetContextThread 77685094 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3816] ntdll.dll!NtSetContextThread + 4 77685098 2 Bytes [80, 71]
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3816] ntdll.dll!NtSetValueKey 776852C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3816] ntdll.dll!NtSetValueKey + 4 776852C8 2 Bytes [8F, 71]
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3816] kernel32.dll!LoadLibraryExW + 173 763C93EF 4 Bytes JMP 71AF000A
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3816] USER32.dll!PostMessageA 7614F8F8 6 Bytes JMP 719C000A
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3816] USER32.dll!SendMessageA 7614F956 6 Bytes JMP 71A2000A
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3816] USER32.dll!PostMessageW 7615A175 6 Bytes JMP 7199000A
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3816] USER32.dll!SendMessageW 76160AED 6 Bytes JMP 719F000A
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3816] USER32.dll!mouse_event 7617044E 6 Bytes JMP 71AB000A
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3816] USER32.dll!SendInput 76172F75 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3816] USER32.dll!SendInput + 4 76172F79 2 Bytes [A4, 71]
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3816] USER32.dll!keybd_event 7619D972 6 Bytes JMP 71A8000A
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3816] ADVAPI32.dll!CreateServiceW 765E9EB4 6 Bytes JMP 7193000A
.text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[3816] ADVAPI32.dll!CreateServiceA 766272A1 6 Bytes JMP 7196000A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] ntdll.dll!NtCreateFile 77684244 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] ntdll.dll!NtCreateFile + 4 77684248 2 Bytes [86, 71]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] ntdll.dll!NtDeleteValueKey 77684664 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] ntdll.dll!NtDeleteValueKey + 4 77684668 2 Bytes [8C, 71]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] ntdll.dll!NtOpenFile 77684A24 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] ntdll.dll!NtOpenFile + 4 77684A28 2 Bytes [83, 71]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] ntdll.dll!NtOpenProcess 77684AA4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] ntdll.dll!NtOpenProcess + 4 77684AA8 2 Bytes [89, 71]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] ntdll.dll!NtSetContextThread 77685094 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] ntdll.dll!NtSetContextThread + 4 77685098 2 Bytes [80, 71]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] ntdll.dll!NtSetValueKey 776852C4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] ntdll.dll!NtSetValueKey + 4 776852C8 2 Bytes [8F, 71]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] kernel32.dll!LoadLibraryExW + 173 763C93EF 4 Bytes JMP 71AF000A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] ADVAPI32.dll!CreateServiceW 765E9EB4 6 Bytes JMP 7193000A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] ADVAPI32.dll!CreateServiceA 766272A1 6 Bytes JMP 7196000A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] USER32.dll!PostMessageA 7614F8F8 6 Bytes JMP 719C000A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] USER32.dll!SendMessageA 7614F956 6 Bytes JMP 71A2000A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] USER32.dll!PostMessageW 7615A175 6 Bytes JMP 7199000A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] USER32.dll!SendMessageW 76160AED 6 Bytes JMP 719F000A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] USER32.dll!mouse_event 7617044E 6 Bytes JMP 71AB000A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] USER32.dll!SendInput 76172F75 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] USER32.dll!SendInput + 4 76172F79 2 Bytes [A4, 71]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] USER32.dll!keybd_event 7619D972 6 Bytes JMP 71A8000A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] WS2_32.dll!GetAddrInfoW 75EC3D12 6 Bytes JMP 7175000A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] WS2_32.dll!connect 75EC40D9 6 Bytes JMP 717E000A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] WS2_32.dll!listen 75EC8CD7 6 Bytes JMP 717B000A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[4016] WS2_32.dll!gethostbyname 75ED62D4 6 Bytes JMP 7178000A
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
AutoRuns zeigt alle Anwendungen auf, die beim Systemstart ausgeführt werden oder es probieren: Code:
ATTFilter "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "" "" "" + "Adobe ARM" "Adobe Reader and Acrobat Manager" "Adobe Systems Incorporated" "c:\program files\common files\adobe\arm\1.0\adobearm.exe" + "avgnt" "Avira System Tray Tool" "Avira Operations GmbH & Co. KG" "c:\program files\avira\antivir desktop\avgnt.exe" + "ContentTransferWMDetector.exe" "Content Transfer Walkman Detector" "Sony Corporation" "c:\program files\sony\content transfer\contenttransferwmdetector.exe" + "emsisoft anti-malware" "Background Guard" "Emsisoft GmbH" "c:\program files\emsisoft anti-malware\a2guard.exe" + "HP Software Update" "hpwuSchd Application" "Hewlett-Packard" "c:\program files\hp\hp software update\hpwuschd2.exe" + "Malwarebytes' Anti-Malware" " Malwarebytes Anti-Malware " "Malwarebytes Corporation" "c:\program files\malwarebytes' anti-malware\mbamgui.exe" + "PDVDDXSrv" "CyberLink PowerDVD Resident Program" "CyberLink Corp." "c:\program files\cyberlink\powerdvd dx\pdvddxsrv.exe" + "SoundMAXPnP" "SMax4PNP" "Analog Devices, Inc." "c:\program files\analog devices\core\smax4pnp.exe" + "StartCCC" "Catalyst® Control Center Launcher" "Advanced Micro Devices, Inc." "c:\program files\ati technologies\ati.ace\core-static\clistart.exe" + "Windows Defender" "Windows Defender User Interface" "Microsoft Corporation" "c:\program files\windows defender\msascui.exe" "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" "" "" "" + " Malwarebytes Anti-Malware " " Malwarebytes Anti-Malware " "Malwarebytes Corporation" "c:\program files\malwarebytes' anti-malware\mbamgui.exe" "C:\Users\Bruno Bucher\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" "" "" "" + "OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk" "Microsoft Office OneNote Quick Launcher" "Microsoft Corporation" "c:\program files\microsoft office\office12\onenotem.exe" "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" "" "" "" + "Microsoft Windows Mail 7" "Windows Mail" "Microsoft Corporation" "c:\program files\windows mail\winmail.exe" "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" "" "" "" + "Sidebar" "Windows-Sidebar" "Microsoft Corporation" "c:\program files\windows sidebar\sidebar.exe" + "swg" "GoogleToolbarNotifier" "Google Inc." "c:\program files\google\googletoolbarnotifier\googletoolbarnotifier.exe" + "WMPNSCFG" "Windows Media Player Network Sharing Service Configuration Application" "Microsoft Corporation" "c:\program files\windows media player\wmpnscfg.exe" "HKLM\SOFTWARE\Classes\Protocols\Filter" "" "" "" + "text/xml" "Microsoft Office XML MIME Filter" "Microsoft Corporation" "c:\program files\common files\microsoft shared\office12\msoxmlmf.dll" "HKLM\SOFTWARE\Classes\Protocols\Handler" "" "" "" + "livecall" "Windows Live Messenger Protocol Handler Module" "Microsoft Corporation" "c:\program files\windows live\messenger\msgrapp.14.0.8050.1202.dll" + "ms-help" "Microsoft® Help Data Services Module" "Microsoft Corporation" "c:\program files\common files\microsoft shared\help\hxds.dll" + "msnim" "Windows Live Messenger Protocol Handler Module" "Microsoft Corporation" "c:\program files\windows live\messenger\msgrapp.14.0.8050.1202.dll" + "wlmailhtml" "Windows Live Mail" "Microsoft Corporation" "c:\program files\windows live\mail\mailcomm.dll" "HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers" "" "" "" + "Shell Extension for Malware scanning" "Avira Shell Extension Library" "Avira Operations GmbH & Co. KG" "c:\program files\avira\antivir desktop\shlext.dll" "HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers" "" "" "" + "a-squared Anti-Malware Shell Extension" "Emsisoft Anti-Malware shell extension" "Emsiûoft GmbH" "c:\program files\emsisoft anti-malware\a2contmenu.dll" + "MBAMShlExt" " Malwarebytes Anti-Malware " "Malwarebytes Corporation" "c:\program files\malwarebytes' anti-malware\mbamext.dll" "HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers" "" "" "" + "ACE" "ACE Context Menu" "" "c:\program files\ati technologies\ati.ace\core-static\atiacmxx.dll" "HKLM\Software\Classes\Folder\Shellex\ColumnHandlers" "" "" "" + "PDF Shell Extension" "PDF Shell Extension" "Adobe Systems, Inc." "c:\program files\common files\adobe\acrobat\activex\pdfshell.dll" "HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers" "" "" "" + "a-squared Anti-Malware Shell Extension" "Emsisoft Anti-Malware shell extension" "Emsiûoft GmbH" "c:\program files\emsisoft anti-malware\a2contmenu.dll" + "MBAMShlExt" " Malwarebytes Anti-Malware " "Malwarebytes Corporation" "c:\program files\malwarebytes' anti-malware\mbamext.dll" + "Shell Extension for Malware scanning" "Avira Shell Extension Library" "Avira Operations GmbH & Co. KG" "c:\program files\avira\antivir desktop\shlext.dll" "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" "" "" "" + "Adobe PDF Link Helper" "Adobe PDF Helper for Internet Explorer" "Adobe Systems Incorporated" "c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll" + "Bing Bar Helper" "Bing Client Extensions" "Microsoft Corporation." "c:\program files\microsoft\bingbar\7.1.361.0\bingext.dll" + "Google Toolbar Helper" "Google Toolbar" "Google Inc." "c:\program files\google\google toolbar\googletoolbar_32.dll" + "Java(tm) Plug-In 2 SSV Helper" "Java(TM) Platform SE binary" "Sun Microsystems, Inc." "c:\program files\java\jre6\bin\jp2ssv.dll" + "Java(tm) Plug-In SSV Helper" "Java(TM) Platform SE binary" "Sun Microsystems, Inc." "c:\program files\java\jre6\bin\ssv.dll" + "Windows Live Anmelde-Hilfsprogramm" "WindowsLiveLogin.dll" "Microsoft Corporation" "c:\program files\common files\microsoft shared\windows live\windowslivelogin.dll" "HKLM\Software\Microsoft\Internet Explorer\Toolbar" "" "" "" + "Bing" "Bing Client Extensions" "Microsoft Corporation." "c:\program files\microsoft\bingbar\7.1.361.0\bingext.dll" + "Google Toolbar" "Google Toolbar" "Google Inc." "c:\program files\google\google toolbar\googletoolbar_32.dll" "Task Scheduler" "" "" "" + "\HPCustParticipation HP Officejet 6600" "HP Customer Participation." "Hewlett-Packard Co." "c:\program files\hp\hp officejet 6600\bin\hpcustpartic.exe" + "\hpUrlLauncher.exe_{FB3D7A94-3954-4B4F-A92D-95043B0E0AAB}" "hpUrlLauncher" "Hewlett-Packard Co." "c:\program files\hp\hp officejet 6600\bin\utils\hpurllauncher.exe" + "\Microsoft\Windows Defender\MP Scheduled Scan" "Windows Defender Command Line Utility" "Microsoft Corporation" "c:\program files\windows defender\mpcmdrun.exe" + "\Microsoft\Windows\Wired\GatherWiredInfo" "" "" "c:\windows\system32\gatherwiredinfo.vbs" + "\Microsoft\Windows\Wireless\GatherWirelessInfo" "" "" "c:\windows\system32\gatherwirelessinfo.vbs" "HKLM\System\CurrentControlSet\Services" "" "" "" + "a2AntiMalware" "Scans the PC for unwanted software and provides protection from malicious code" "Emsisoft GmbH" "c:\program files\emsisoft anti-malware\a2service.exe" + "AdobeARMservice" "Adobe Acrobat Updater hält Ihre Adobe-Software aktuell." "Adobe Systems Incorporated" "c:\program files\common files\adobe\arm\1.0\armsvc.exe" + "AntiVirSchedulerService" "Dienst zur Steuerung von Avira Free Antivirus Prüfaufträgen und Updates." "Avira Operations GmbH & Co. KG" "c:\program files\avira\antivir desktop\sched.exe" + "AntiVirService" "Bietet permanenten Schutz vor Viren und Malware mit der Avira Suchengine." "Avira Operations GmbH & Co. KG" "c:\program files\avira\antivir desktop\avguard.exe" + "Ati External Event Utility" "ATI External Event Utility EXE Module" "ATI Technologies Inc." "c:\windows\system32\ati2evxx.exe" + "BBSvc" "Keeps Bing Bar up-to-date. Disabling this service might prevent updates and expose your computer to security vulnerabilities or functional flaws in Bing Bar." "Microsoft Corporation." "c:\program files\microsoft\bingbar\7.1.361.0\bbsvc.exe" + "BBUpdate" "Enables the detection, download and installation of up-to-date configuration files for Bing Bar. Also provides server communication for the customer experience improvement program. Stopping or disabling this service may prevent you from getting the latest updates for Bing Bar, which may expose your computer to security vulnerabilities or functional flaws in the Bing Bar." "Microsoft Corporation." "c:\program files\microsoft\bingbar\7.1.361.0\seaport.exe" + "gupdate" "Hält Ihre Google-Software auf dem neuesten Stand. Falls dieser Service deaktiviert oder angehalten wird, wird Ihre Google-Software nicht aktualisiert. Das heißt, dass eventuell auftretende Sicherheitslücken nicht behoben und bestimmte Funktionen möglicherweise nicht ausgeführt werden können. Dieser Service deinstalliert sich selbst, wenn er nicht von einer Google-Software verwendet wird." "Google Inc." "c:\program files\google\update\googleupdate.exe" + "gupdatem" "Hält Ihre Google-Software auf dem neuesten Stand. Falls dieser Service deaktiviert oder angehalten wird, wird Ihre Google-Software nicht aktualisiert. Das heißt, dass eventuell auftretende Sicherheitslücken nicht behoben und bestimmte Funktionen möglicherweise nicht ausgeführt werden können. Dieser Service deinstalliert sich selbst, wenn er nicht von einer Google-Software verwendet wird." "Google Inc." "c:\program files\google\update\googleupdate.exe" + "gusvc" "Google Updater keeps your Google software up to date. If Google Updater Service is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work." "Google" "c:\program files\google\common\google updater\googleupdaterservice.exe" + "MBAMService" "Malwarebytes Anti-Malware service" "Malwarebytes Corporation" "c:\program files\malwarebytes' anti-malware\mbamservice.exe" + "odserv" "Komponenten der Microsoft Office-Diagnose ausführen." "Microsoft Corporation" "c:\program files\common files\microsoft shared\office12\odserv.exe" + "ose" "Speichert Installationsdateien, die für Updates und Reparieren verwendet werden, und ist zum Herunterladen von Setup-Updates und Watson-Fehlerberichten erforderlich." "Microsoft Corporation" "c:\program files\common files\microsoft shared\source engine\ose.exe" + "SCVSSService" "Provides Volume Shadow Copy service backup support for Second Copy." "" "c:\program files\second copy 8\scvsssvc.exe" + "stllssvr" "SureThing Labelflash Disc Printer Service Module" "MicroVision Development, Inc." "c:\program files\common files\surething shared\stllssvr.exe" + "WinDefend" "Überprüft den Computer auf unerwünschte Software, plant Überprüfungen und lädt die neuesten Softwaredefinitionen herunter." "Microsoft Corporation" "c:\program files\windows defender\mpsvc.dll" + "WMPNetworkSvc" "Gibt Windows Media Player-Bibliotheken mithilfe des universellen Plug & Play für andere Players und Mediengeräte auf dem Netzwerk frei" "Microsoft Corporation" "c:\program files\windows media player\wmpnetwk.exe" "HKLM\System\CurrentControlSet\Services" "" "" "" + "a2acc" "Emsisoft on-access minifilter" "" "File not found: C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2accx86.sys" + "A2DDA" "Emsisoft Direct Disk Access Support Driver" "Emsi Software GmbH" "c:\program files\emsisoft anti-malware\a2ddax86.sys" + "a2util" "Provides several additional functionality used by the a-squared Malware-IDS." "Emsi Software GmbH" "c:\program files\emsisoft anti-malware\a2util32.sys" + "ADIHdAudAddService" "High Definition Audio Function Driver" "Analog Devices, Inc." "c:\windows\system32\drivers\adihdaud.sys" + "atikmdag" "ATI Radeon Kernel Mode Driver" "ATI Technologies Inc." "c:\windows\system32\drivers\atikmdag.sys" + "avgntflt" "Avira mini-filter driver" "Avira GmbH" "c:\windows\system32\drivers\avgntflt.sys" + "avipbb" "Avira Security Enhancement Driver" "Avira GmbH" "c:\windows\system32\drivers\avipbb.sys" + "avkmgr" "Avira Manager Driver" "Avira GmbH" "c:\windows\system32\drivers\avkmgr.sys" + "BrFiltLo" "Windows ME USB Mass-Storage Bulk-Only Lower Filter Driver" "Brother Industries, Ltd." "c:\windows\system32\drivers\brfiltlo.sys" + "BrFiltUp" "Windows ME USB Mass-Storage Bulk-Only Upper Filter Driver" "Brother Industries, Ltd." "c:\windows\system32\drivers\brfiltup.sys" + "BrUsbSer" "Brother USB Serial Driver" "Brother Industries Ltd." "c:\windows\system32\drivers\brusbser.sys" + "e1express" "Intel(R) PRO/1000 Adapter NDIS 6-nicht serialisierter Treiber" "Intel Corporation" "c:\windows\system32\drivers\e1e6032.sys" + "E1G60" "Intel(R) PRO/1000 Adapter NDIS 6-nicht serialisierter Treiber" "Intel Corporation" "c:\windows\system32\drivers\e1g60i32.sys" + "IpInIp" "IP in IP Tunnel Driver" "" "File not found: system32\DRIVERS\ipinip.sys" + "k57nd60x" "Broadcom NetLink (TM) Gigabit Ethernet NDIS6.x Unified Driver." "Broadcom Corporation" "c:\windows\system32\drivers\k57nd60x.sys" + "MBAMProtector" " Malwarebytes Anti-Malware " "Malwarebytes Corporation" "c:\windows\system32\drivers\mbam.sys" + "NwlnkFlt" "IPX Traffic Filter Driver" "" "File not found: system32\DRIVERS\nwlnkflt.sys" + "NwlnkFwd" "IPX Traffic Forwarder Driver" "" "File not found: system32\DRIVERS\nwlnkfwd.sys" + "PxHelp20" "Px Engine Device Driver for Windows 2000/XP" "Sonic Solutions" "c:\windows\system32\drivers\pxhelp20.sys" + "R300" "ATI Radeon Kernel Mode Driver" "ATI Technologies Inc." "c:\windows\system32\drivers\atikmdag.sys" + "secdrv" "Macrovision SECURITY Driver" "Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K." "c:\windows\system32\drivers\secdrv.sys" + "ssmdrv" "Avira Snapshot Driver" "Avira GmbH" "c:\windows\system32\drivers\ssmdrv.sys" + "VST_DPV" "HSF_DP driver" "Conexant Systems, Inc." "c:\windows\system32\drivers\vstdpv3.sys" + "VSTHWBS2" "HSF_HWB2 WDM driver" "Conexant Systems, Inc." "c:\windows\system32\drivers\vstbs23.sys" + "winachsf" "HSF_CNXT driver" "Conexant Systems, Inc." "c:\windows\system32\drivers\vstcnxt3.sys" "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32" "" "" "" + "msacm.l3acm" "MPEG Layer-3 Audio Codec for MSACM" "Fraunhofer Institut Integrierte Schaltungen IIS" "c:\windows\system32\l3codeca.acm" + "vidc.cvid" "Cinepak(C) Codec" "Radius Inc." "c:\windows\system32\iccvid.dll" "HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance" "" "" "" + "9x8Resize" "Windows Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" + "Allocator Fix" "Windows Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" + "ATI Ticker" "" "" "c:\program files\ati technologies\ati.ace\graphics-previews-common\ticker.ax" + "Bitmap" "Windows Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" + "Capture ASF Writer" "Windows Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" + "Capture File Writer" "Windows Live Video Acquisition Filters" "Microsoft Corporation" "c:\program files\windows live\photo gallery\wlxvafilt.dll" + "CyberLink Audio Decoder" "CyberLink Audio Decoder Filter" "CyberLink Corp." "c:\program files\cyberlink\powerdvd dx\kernel\movie\claud.ax" + "CyberLink Audio Effect" "CyberLink Audio Effect Filter" "CyberLink Corporation" "c:\program files\cyberlink\powerdvd dx\kernel\movie\claudfx.ax" + "CyberLink Audio Spectrum Analyzer" "CLAudSpa.ax" "CyberLink Corp." "c:\program files\cyberlink\powerdvd dx\kernel\movie\claudspa.ax" + "CyberLink Audio Wizard" "CyberLink Audio Wizard Filter" "CyberLink Corp." "c:\program files\cyberlink\powerdvd dx\kernel\movie\claudwizard.ax" + "CyberLink AudioCD Filter" "CyberLink AudioCD Filter" "CyberLink Corp." "c:\program files\cyberlink\powerdvd dx\kernel\movie\claudiocd.ax" + "CyberLink Demultiplexer" "MPEG-2 Dempltiplexer" "CyberLink Corp." "c:\program files\cyberlink\powerdvd dx\kernel\movie\cldemuxer.ax" + "CyberLink DVD Navigator" "CyberLink DVD Navigation Filter" "CyberLink Corp." "c:\program files\cyberlink\powerdvd dx\kernel\movie\clnavx.ax" + "CyberLink Line21 Decoder Filter" "CyberLink Line21 Decoder Filter" "CyberLink Corp." "c:\program files\cyberlink\powerdvd dx\kernel\movie\clline21.ax" + "Cyberlink SubTitle Importor" "CLSubTitle.ax" "CyberLink Corp." "c:\program files\cyberlink\powerdvd dx\kernel\movie\clsubtitle.ax" + "CyberLink TimeStretch Filter" "CLAuTS.ax" "CyberLink Corp." "c:\program files\cyberlink\powerdvd dx\kernel\movie\clauts.ax" + "CyberLink Video Effect" "CLVidFx" "CyberLink" "c:\program files\cyberlink\powerdvd dx\kernel\movie\clvidfx.ax" + "CyberLink Video/SP Decoder" "CyberLink Video/SP Filter" "CyberLink Corp." "c:\program files\cyberlink\powerdvd dx\kernel\movie\clvsd.ax" + "Frame Eater" "Windows Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" + "MMACE Deinterlace" "" "" "c:\program files\ati technologies\ati.ace\graphics-previews-common\mmacefilters.dll" + "MMACE ProcAmp" "" "" "c:\program files\ati technologies\ati.ace\graphics-previews-common\mmacefilters.dll" + "MMACE SoftEmu" "" "" "c:\program files\ati technologies\ati.ace\graphics-previews-common\mmacefilters.dll" + "Multiple File Output" "Windows Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" + "Proxy Sink" "Windows Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" + "Proxy Source" "Windows Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" + "Record Queue" "Windows Live Video Acquisition Filters" "Microsoft Corporation" "c:\program files\windows live\photo gallery\wlxvafilt.dll" + "Record Queue" "Windows Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" + "ShotDetect" "Windows Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" + "Sonic Cinemaster® Audio Decoder 4.2" "SonicHDAudio" "Sonic Solutions" "c:\program files\common files\sonic shared\cinemasteraudio.dll" + "Sonic Cinemaster® VideoDecoder 4.1" "CinemasterVideo" "Sonic Solutions" "c:\program files\common files\sonic shared\cinemastervideo.dll" + "Sonic HD Demuxer" "Sonic HD Demuxer" "" "c:\program files\common files\sonic shared\sonichddemuxer.dll" + "Sonic HD Nav" "SonicHDNav" "" "c:\program files\common files\sonic shared\sonichdnav.dll" + "Sony ATRAC3/3plus Decode Filter" "Sony ATRAC3/3plus Decode Filter" "Sony Corporation" "c:\windows\system32\atxdec.ax" + "Sony ATRAC3/3plus Parse Filter" "Sony ATRAC3/3plus Parse Filter" "Sony Corporation" "c:\windows\system32\atxparser.ax" + "SonyMp4AacDecoder" "SonyMp4AacDecoder" "sony" "c:\program files\sony\content transfer\sonymp4aacdecoder.ax" + "Stetch" "Windows Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" + "WM VIH2 Fix" "Windows Live Video Acquisition Filters" "Microsoft Corporation" "c:\program files\windows live\photo gallery\wlxvafilt.dll" + "WM VIH2 Fix" "Windows Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" + "WMT Audio Analyzer" "Windows Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" + "WMT Black Frame Generator" "Windows Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" + "WMT DV Extract Filter" "Windows Live Video Acquisition Filters" "Microsoft Corporation" "c:\program files\windows live\photo gallery\wlxvafilt.dll" + "WMT DV Extract Filter" "Windows Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" + "WMT FormatConversion" "Windows Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" + "WMT Import Filter" "Windows Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" + "WMT Interlacer" "Windows Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" + "WMT Log Filter" "Windows Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" + "WMT MuxDeMux Filter" "Windows Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" + "WMT Sample Info Filter" "Windows Live Video Acquisition Filters" "Microsoft Corporation" "c:\program files\windows live\photo gallery\wlxvafilt.dll" + "WMT Sample Info Filter" "Windows Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" + "WMT Switch Filter" "Windows Live Video Acquisition Filters" "Microsoft Corporation" "c:\program files\windows live\photo gallery\wlxvafilt.dll" + "WMT Switch Filter" "Windows Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" + "WMT Virtual Renderer" "Windows Live Video Acquisition Filters" "Microsoft Corporation" "c:\program files\windows live\photo gallery\wlxvafilt.dll" + "WMT Virtual Renderer" "Windows Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" + "WMT Virtual Source" "Windows Live Video Acquisition Filters" "Microsoft Corporation" "c:\program files\windows live\photo gallery\wlxvafilt.dll" + "WMT Virtual Source" "Windows Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" + "WMT Volume" "Windows Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll" "HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors" "" "" "" + "CNY SELPHY CP LM13" "SELPHY CP Family Driver Language Monitor" "Canon INC." "c:\windows\system32\cnymlm13.dll" + "CutePDF Writer Monitor" "" "" "c:\windows\system32\cpwmon2k.dll" + "HP 5D12 Status Monitor" "Print Status Language Monitor" "Hewlett-Packard Co." "c:\windows\system32\hpinksts5d12lm.dll" + "HP Discovery Port Monitor (HP Officejet 6600)" "HP Discovery Port Monitor" "Hewlett-Packard Co." "c:\windows\system32\hpdiscopm5d12.dll" "C:\Users\Bruno Bucher\AppData\Local\Microsoft\Windows Sidebar\Settings.ini" "" "" "" Geändert von burger-inf (19.07.2012 um 10:39 Uhr) |
|
19.07.2012, 12:00
| #5 | |
| /// Malware-holic | Suisa - Symptome bereits entfernt bitte erstelle keine logs die nicht angefordert waren. ne antwort kann bis zu 3 tagen dauern, wir haben viel zu tun momentan. Combofix darf ausschließlich ausgeführt werden, wenn dies von einem Team Mitglied angewiesen wurde!Downloade dir bitte Combofix von einem dieser Downloadspiegel Link 1 Link 2 WICHTIG - Speichere Combofix auf deinem Desktop
Wenn Combofix fertig ist, wird es eine Logfile erstellen. Bitte poste die C:\Combofix.txt in deiner nächsten Antwort. Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten Zitat:
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
|
19.07.2012, 12:36
| #6 |
| | Suisa - Symptome bereits entfernt Dass ihr im Moment viel zu tun habt ist mir klar und tut mir leid falls ich hier unnötig stresse aber ich sollte den Computer möglichst schnell bereinigt haben. Das Logfile von ComboFix hab ich dir auch schon: Code:
ATTFilter ComboFix 12-07-18.04 - Bruno Bucher 19.07.2012 13:18:03.1.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.41.1031.18.2045.984 [GMT 2:00]
ausgeführt von:: f:\burger-inf\Suisa-Virus_Tools\Hr. Bucher\programme\ComboFix.exe
AV: Avira Desktop *Disabled/Outdated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
AV: Emsisoft Anti-Malware *Disabled/Outdated* {8504DEEF-CC04-1F76-2137-F1A5F4A659DA}
SP: Avira Desktop *Disabled/Outdated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Emsisoft Anti-Malware *Disabled/Outdated* {3E653F0B-EA3E-10F8-1B87-CAD78F211367}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\475e21p31gxqka8n7paa3h
c:\windows\unin0407.exe
.
.
((((((((((((((((((((((( Dateien erstellt von 2012-06-19 bis 2012-07-19 ))))))))))))))))))))))))))))))
.
.
2012-07-19 11:22 . 2012-07-19 11:23 -------- d-----w- c:\users\Bruno Bucher\AppData\Local\temp
2012-07-19 11:22 . 2012-07-19 11:22 -------- d-----w- c:\users\Stephanie\AppData\Local\temp
2012-07-19 11:22 . 2012-07-19 11:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-19 11:18 . 2012-07-19 11:18 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{38861B07-7EEA-4264-A42A-1A5CC23E93DA}\offreg.dll
2012-07-18 13:52 . 2012-07-18 13:52 -------- d-----w- c:\users\Bruno Bucher\AppData\Roaming\Malwarebytes
2012-07-18 13:51 . 2012-07-18 13:51 -------- d-----w- c:\programdata\Malwarebytes
2012-07-17 12:19 . 2012-07-19 11:12 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2012-07-17 00:54 . 2012-07-17 00:54 -------- d-----w- c:\windows\Microsoft Antimalware
2012-07-16 11:37 . 2012-07-16 11:37 -------- d-----w- C:\found.000
2012-07-12 06:27 . 2012-06-13 13:40 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-07-11 19:11 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-11 19:11 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-07-11 19:11 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-07-11 19:11 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-11 19:11 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll
2012-07-11 19:11 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-10 06:55 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{38861B07-7EEA-4264-A42A-1A5CC23E93DA}\mpengine.dll
2012-07-02 06:53 . 2012-07-02 06:53 -------- d-----w- c:\users\Stephanie\AppData\Roaming\HpUpdate
2012-06-24 20:53 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-24 20:53 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-24 20:53 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-24 20:53 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-24 20:52 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-24 20:52 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-24 20:52 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-24 20:52 . 2012-06-02 13:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-24 20:52 . 2012-06-02 13:12 33792 ----a-w- c:\windows\system32\wuapp.exe
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-08 20:12 . 2012-01-11 13:00 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-05-08 20:12 . 2012-01-11 13:00 137928 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-05-01 14:03 . 2012-06-14 19:10 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-23 16:00 . 2012-06-14 19:16 984064 ----a-w- c:\windows\system32\crypt32.dll
2012-04-23 16:00 . 2012-06-14 19:16 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-04-23 16:00 . 2012-06-14 19:16 133120 ----a-w- c:\windows\system32\cryptsvc.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-02 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-04 128232]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-07-30 497000]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-05-08 348624]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-07-16 1310720]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-03-24 49208]
"emsisoft anti-malware"="c:\program files\emsisoft anti-malware\a2guard.exe" [2012-06-17 3367328]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
.
c:\users\Bruno Bucher\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Second Copy]
2011-09-19 09:36 2996008 ----a-w- c:\program files\Second Copy 8\SecCopy.exe
.
R3 a2acc;a2acc;c:\program files\EMSISOFT ANTI-MALWARE\a2accx86.sys [x]
S1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\Emsisoft Anti-Malware\a2ddax86.sys [x]
S1 a2util;a-squared Malware-IDS utility driver;c:\program files\Emsisoft Anti-Malware\a2util32.sys [x]
S2 a2AntiMalware;Emsisoft Anti-Malware 6.6 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Inhalt des "geplante Tasks" Ordners
.
2012-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 19:45]
.
2012-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 19:45]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.ch/
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.100.0.2 10.150.0.254 195.186.1.162
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
SafeBoot-23930635.sys
MSConfigStartUp-Lexmark X1100 Series - c:\program files\Lexmark X1100 Series\lxbkbmgr.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2012-07-19 13:23
Windows 6.0.6002 Service Pack 2 NTFS
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
Scanne versteckte Dateien...
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
Zeit der Fertigstellung: 2012-07-19 13:24:40
ComboFix-quarantined-files.txt 2012-07-19 11:24
.
Vor Suchlauf: 8 Verzeichnis(se), 40'066'330'624 Bytes frei
Nach Suchlauf: 13 Verzeichnis(se), 40'528'580'608 Bytes frei
.
- - End Of File - - 571AE4E4EC8F52BC69B2A8624267EBB4
Geändert von burger-inf (19.07.2012 um 13:19 Uhr) |
|
19.07.2012, 14:23
| #7 |
| /// Malware-holic | Suisa - Symptome bereits entfernt lade den CCleaner standard: CCleaner Download - CCleaner 3.20.1750 falls der CCleaner bereits instaliert, überspringen. instalieren, öffnen, extras, liste der instalierten programme, als txt speichern. öffnen. hinter, jedes von dir benötigte programm, schreibe notwendig. hinter, jedes, von dir nicht benötigte, unnötig. hinter, dir unbekannte, unbekannt. liste posten.
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
|
19.07.2012, 14:43
| #8 |
| | Suisa - Symptome bereits entfernt Hi Vielen Dank für die schnelle Antwort. Was für mich erstaunlich ist, ist dass kein Programm zu sehen ist, das ich nicht kenne. Hier die Programmliste: Code:
ATTFilter Adobe Acrobat 4.0 22.04.2012 notwendig
Adobe Flash Player 10 ActiveX Adobe Systems Incorporated 07.11.2010 10.1.102.64 notwendig
Adobe Reader X (10.1.3) - Deutsch Adobe Systems Incorporated 04.07.2012 121MB 10.1.3 notwendig
ATI Catalyst Control Center 24.04.2009 24.0KB 2.008.0409.2230 notwendig
Avira Free Antivirus Avira 08.05.2012 151MB 12.0.0.1125 notwendig
Banana Buchhaltung 5.0 Banana.ch SA - Lugano (Switzerland) 24.05.2012 21.8MB 5.0.1.0 notwendig
Bing Bar Microsoft Corporation 12.06.2012 527KB 7.1.361.0 unnötig
Broadcom Management Programs Broadcom Corporation 24.04.2009 11.66.01 notwendig
CCleaner Piriform 22.06.2012 4.76MB 3.20 unnötig
Content Transfer Sony Corporation 14.07.2010 10.9MB 1.2.0.07300 notwendig
CutePDF Writer 2.5 08.07.2009 notwendig
Dell Handbuch zum Einstieg Dell Inc. 24.04.2009 1.00.0000 unnötig
Emsisoft Anti-Malware Emsisoft GmbH 17.07.2012 179MB 6.6 unnötig
GnuCash 2.4.0 GnuCash Development Team 29.01.2011 323MB notwendig
Google Chrome Google Inc. 04.07.2012 269MB 20.0.1132.47 notwendig
Google Toolbar for Internet Explorer Google Inc. 26.03.2012 10.0MB 7.3.2710.138 unnötig
HP Officejet 6600 - Grundlegende Software für das Gerät Hewlett-Packard Co. 09.06.2012 157MB 25.0.619.0 notwendig
HP Officejet 6600 Hilfe Hewlett Packard 09.06.2012 17.6MB 140.0.2.2 notwendig
HP Update Hewlett-Packard 09.06.2012 3.98MB 5.003.000.004 notwendig
I.R.I.S. OCR HP 09.06.2012 68.9MB 12.3.4.0 notwendig
Java(TM) 6 Update 30 Sun Microsystems, Inc. 24.04.2009 96.8MB 6.0.300 notwendig
Microsoft .NET Framework 3.5 Language Pack SP1 - DEU Microsoft Corporation 11.08.2009 36.9MB notwendig
Microsoft .NET Framework 3.5 SP1 Microsoft Corporation 29.04.2009 36.9MB notwendig
Microsoft .NET Framework 4 Client Profile Microsoft Corporation 28.06.2010 120MB 4.0.30319 notwendig
Microsoft .NET Framework 4 Client Profile DEU Language Pack Microsoft Corporation 28.06.2010 24.5MB 4.0.30319 notwendig
Microsoft Office File Validation Add-In Microsoft Corporation 10.01.2012 11.2MB 14.0.5130.5003 notwendig
Microsoft Office Home and Student 2007 Microsoft Corporation 22.02.2012 326MB 12.0.6612.1000 notwendig
Microsoft Office Live Add-in 1.5 Microsoft Corporation 23.04.2012 506KB 2.0.4024.1 notwendig
Microsoft Silverlight Microsoft Corporation 24.05.2012 225MB 5.1.10411.0 notwendig
Microsoft SQL Server 2005 Compact Edition [ENU] Microsoft Corporation 24.04.2009 1.74MB 3.1.0000 notwendig
Microsoft Sync Framework Runtime Native v1.0 (x86) Microsoft Corporation 24.04.2009 624KB 1.0.1215.0 notwendig
Microsoft Sync Framework Services Native v1.0 (x86) Microsoft Corporation 24.04.2009 1.44MB 1.0.1215.0 notwendig
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Corporation 16.05.2010 590KB 9.0.30729.4148 notwendig
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft Corporation 18.06.2011 594KB 9.0.30729.6161 notwendig
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 Microsoft Corporation 11.01.2012 11.1MB 10.0.40219 notwendig
PowerDVD DX Dell Corp. 24.04.2009 38.3MB 8.2.5024 notwendig
Roxio Activation Module Roxio 24.04.2009 1.0 notwendig
Roxio Creator Audio Roxio 24.04.2009 3.5.0 notwendig
Roxio Creator BDAV Plugin Roxio 24.04.2009 3.5.0 notwendig
Roxio Creator Copy Roxio 24.04.2009 3.5.0 notwendig
Roxio Creator Data Roxio 24.04.2009 3.5.0 notwendig
Roxio Creator DE Roxio 24.04.2009 3.5.0 notwendig
Roxio Creator Tools Roxio 24.04.2009 3.5.0 notwendig
Roxio Express Labeler 3 Roxio 24.04.2009 3.2.1 notwendig
Roxio Update Manager Roxio 24.04.2009 6.0.0 notwendig
Second Copy 8 Centered Systems 12.03.2012 12.7MB 8.0.5.3 notwendig
Sonic CinePlayer Decoder Pack Sonic Solutions 24.04.2009 4.2.0 notwendig
Spelling Dictionaries Support For Adobe Reader 9 Adobe Systems Incorporated 15.03.2010 29.6MB 9.0.0 notwendig
Studie zur Verbesserung von HP Officejet 6600 Produkten Hewlett-Packard Co. 09.06.2012 5.97MB 25.0.619.0 unnötig
Windows Live Anmelde-Assistent Microsoft Corporation 04.05.2009 1.93MB 5.000.818.6 notwendig
Windows Live Essentials Microsoft Corporation 24.04.2009 136MB 14.0.8050.1202 notwendig
Windows Live Sync Microsoft Corporation 24.04.2009 2.79MB 14.0.8050.1202 notwendig
Windows Live-Uploadtool Microsoft Corporation 24.04.2009 225KB 14.0.8014.1029 notwendig
|
|
19.07.2012, 23:46
| #9 |
| /// Malware-holic | Suisa - Symptome bereits entfernt deinstaliere: Adobe Flash Player alle Adobe - Adobe Flash Player installieren neueste version laden adobe reader: Adobe - Adobe Reader herunterladen - Alle Versionen haken bei mcafee security scan raus nehmen bitte auch mal den adobe reader wie folgt konfigurieren: adobe reader öffnen, bearbeiten, voreinstellungen. allgemein: nur zertifizierte zusatz module verwenden, anhaken. internet: hier sollte alles deaktiviert werden, es ist sehr unsicher pdfs automatisch zu öffnen, zu downloaden etc. es ist immer besser diese direkt abzuspeichern da man nur so die kontrolle hat was auf dem pc vor geht. bei javascript den haken bei java script verwenden raus nehmen bei updater, automatisch instalieren wählen. übernehmen /ok deinstaliere: Bing Emsisoft Google Toolbar öffne CCleaner analysieren CCleaner starten öffne otl, cleanup pc startet neu, testen wie er läuft
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
|
20.07.2012, 08:15
| #10 |
| | Suisa - Symptome bereits entfernt Also ich hab jetzt mal alles wichtige getestet und festgestellt, dass er reibungslos läuft. |
|
25.07.2012, 21:04
| #11 |
| /// Malware-holic | Suisa - Symptome bereits entfernt dann pc absichern: als antimalware programm würde ich emsisoft empfehlen. diese haben für mich den besten schutz kostet aber etwas. http://www.trojaner-board.de/103809-...i-malware.html testversion: Meine Antivirus-Empfehlung: Emsisoft Anti-Malware insbesondere wenn du onlinebanking, einkäufe, sonstige zahlungsabwicklungen oder ähnlich wichtiges, wie zb berufliches machst, also sensible daten zu schützen sind, solltest du in sicherheitssoftware investieren. vor dem aktivieren der lizenz die 30 tage testzeitraum ausnutzen. kostenlos, aber eben nicht ganz so gut wäre avast zu empfehlen. http://www.trojaner-board.de/110895-...antivirus.html sag mir welches du nutzt, dann gebe ich konfigurationshinweise. bitte dein bisheriges av deinstalieren die folgende anleitung ist umfangreich, dass ist mir klar, sie sollte aber umgesetzt werden, da nur dann dein pc sicher ist. stelle so viele fragen wie nötig, ich arbeite gern alles mit dir durch! http://www.trojaner-board.de/96344-a...-rechners.html Starte bitte mit der Passage, Windows Vista und Windows 7 Bitte beginne damit, Windows Updates zu instalieren. Am besten geht dies, wenn du über Start, Suchen gehst, und dort Windows Updates eingibst. Prüfe unter "Einstellungen ändern" dass folgendes ausgewählt ist: - Updates automatisch Instalieren, - Täglich - Uhrzeit wählen - Bitte den gesammten rest anhaken, außer: - detailierte benachichtungen anzeigen, wenn neue Microsoft software verfügbar ist. Klicke jetzt die Schaltfläche "OK" Klicke jetzt "nach Updates suchen". Bitte instaliere zunächst wichtige Updates. Es wird nötig sein, den PC zwischendurch neu zu starten. falls dies der Fall ist, musst du erneut über Start, Suchen, Windows Update aufrufen, auf Updates suchen klicken und die nächsten instalieren. Mache das selbe bitte mit den optionalen Updates. Bitte übernimm den rest so, wie es im Abschnitt windows 7 / Vista zu lesen ist. aus dem Abschnitt xp, bitte den punkt "datenausführungsverhinderung, dep" übernehmen. als browser rate ich dir zu chrome: Installation von Google Chrome für mehrere Nutzerkonten - Google Chrome-Hilfe anleitung lesen bitte falls du nen andern nutzen willst, sags mir dann muss ich teile der nun folgenden anleitung Sandboxie Die devinition einer Sandbox ist hier nachzulesen: Sandbox Kurz gesagt, man kann Programme fast 100 %ig isuliert vom System ausführen. Der Vorteil liegt klar auf der Hand, wenn über den Browser Schadcode eingeschläust wird, kann dieser nicht nach außen dringen. Download Link: Sandboxie Download - Sandboxie 3.72 anleitung: http://www.trojaner-board.de/71542-a...sandboxie.html ausführliche anleitung als pdf, auch abarbeiten: Sandbox Einstellungen | bitte folgende zusatz konfiguration machen: sandboxie control öffnen, menü sandbox anklicken, defauldbox wählen. dort klicke auf sandbox einstellungen. beschrenkungen, bei programm start und internet zugriff schreibe: chrome.exe dann gehe auf anwendungen, webbrowser, chrome. dort aktiviere alles außer gesammten profil ordner freigeben. Wie du evtl. schon gesehen hast, kannst du einige Funktionen nicht nutzen. Dies ist nur in der Vollversion nötig, zu deren Kauf ich dir rate. Du kannst zb unter "Erzwungene Programmstarts" festlegen, dass alle Browser in der Sandbox starten. Ansonsten musst du immer auf "Sandboxed webbrowser" klicken bzw Rechtsklick, in Sandboxie starten. Eine lebenslange Lizenz kostet 30 €, und ist auf allen deinen PC's nutzbar. Weiter mit: Maßnahmen für ALLE Windows-Versionen alles komplett durcharbeiten anmerkung zu file hippo. in den settings zusätzlich auswählen: hide beta updates. Run updateChecker when Windows starts Backup Programm: in meiner Anleitung ist bereits ein Backup Programm verlinkt, als Alternative bietet sich auch das Windows eigene Backup Programm an: http://www.trojaner-board.de/82962-w...en-backup.html Dies ist aber leider nur für Windows 7 Nutzer vernünftig nutzbar. Alle Anderen sollten sich aber auf jeden fall auch ein Backup Programm instalieren, denn dies kann unter Umständen sehr wichtig sein, zum Beispiel, wenn die Festplatte einmal kaputt ist. Zum Schluss, die allgemeinen sicherheitstipps beachten, wenn es dich betrifft, den Tipp zum Onlinebanking beachten und alle Passwörter ändern bitte auch lesen, wie mache ich programme für alle sichtbar: Programme für alle Konten nutzbar machen - PCtipp.ch - Praxis & Hilfe surfe jetzt also nur noch im standard nutzer konto und dort in der sandbox. wenn du die kostenlose version nutzt, dann mit klick auf sandboxed web browser, wenn du die bezahlversion hast, kannst du erzwungene programm starts festlegen, dann wird Sandboxie immer gestartet wenn du nen browser aufrufst. wenn du mit der maus über den browser fährst sollte der eingerahmt sein, dann bist du im sandboxed web browser
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
|
| Themen zu Suisa - Symptome bereits entfernt |
| 2.0.7, antivir, auswerten, autorun, avira, bho, bingbar, browser, computer, desktop, error, firefox, flash player, format, helper, homepage, install.exe, installation, ip-adresse, kaspersky, microsoft office word, ms security essentials, office 2007, officejet, plug-in, pum.hijack.help, registry, rundll, scan, searchscopes, security, senden, software, spyware.agent, svchost.exe, system, trojan.patched, vista |
Linear-Darstellung
