| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Polizei-Trojaner ÖsterreichWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
10.08.2012, 11:08
| #1 | |
| |  Polizei-Trojaner Österreich Mahlzeit, Gestern Abend habe ich mir eine Version des Polizei-Trojaners eingefangen. Da ich schon einmal Probleme damit hatte und mir hier geholfen wurde, wende ich mich erneut an euch  Das den gesamten Bildschirm blockierenden Bild vom Trojaner konnte ich mittels Strg+Alt+Entf und anschließend ein abgebrochener Neustart entfernen. Das Bild erscheint erst, sobald ich mich mit dem Internet verbinde. Auch ist mir aufgefallen, dass eine .txt Datei neu auf meinem Desktop ist, welche nach dem nächsten Neustart wieder da ist, sollte ich sie vorher gelöscht haben. Ihr Name ist "ldsw_0paos.txt". Defogger, OTL und GMER wurden wie beschrieben heruntergeladen und ausgeführt. Die Logs sind hier: Defogger: Zitat:
OTL Logfile: Code:
ATTFilter OTL logfile created on: 10.08.2012 11:32:52 - Run 7 OTL by OldTimer - Version 3.2.56.0 Folder = C:\Users\***\Desktop Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000C07 | Country: Österreich | Language: DEA | Date Format: dd.MM.yyyy 2,99 Gb Total Physical Memory | 1,81 Gb Available Physical Memory | 60,40% Memory free 5,98 Gb Paging File | 4,69 Gb Available in Paging File | 78,36% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 910,41 Gb Total Space | 836,01 Gb Free Space | 91,83% Space Free | Partition Type: NTFS Drive D: | 20,00 Gb Total Space | 8,76 Gb Free Space | 43,79% Space Free | Partition Type: NTFS Drive I: | 7,27 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS Computer Name: HPC | User Name: *** | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Users\***\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) PRC - C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe (Adobe Systems, Inc.) PRC - C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\Programme\Ask.com\Updater\Updater.exe (Ask) PRC - C:\Programme\Internet Explorer\iexplore.exe (Microsoft Corporation) PRC - C:\Users\***\AppData\Local\Akamai\netsession_win.exe (Akamai Technologies, Inc) PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG) PRC - C:\Programme\Avira\AntiVir Desktop\avwebgrd.exe (Avira Operations GmbH & Co. KG) PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG) PRC - C:\Programme\Avira\AntiVir Desktop\avshadow.exe (Avira Operations GmbH & Co. KG) PRC - C:\Programme\Autodesk\Content Service\Connect.Service.ContentService.exe (Autodesk, Inc.) PRC - C:\Windows\System32\conhost.exe (Microsoft Corporation) PRC - C:\Programme\OpenOffice.org 3\program\soffice.exe (OpenOffice.org) PRC - C:\Programme\OpenOffice.org 3\program\soffice.bin (OpenOffice.org) PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation) PRC - C:\Programme\Windows Sidebar\sidebar.exe (Microsoft Corporation) PRC - C:\Windows\explorer.exe (Microsoft Corporation) PRC - C:\Programme\Common Files\Java\Java Update\jucheck.exe (Sun Microsystems, Inc.) PRC - C:\Programme\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation) PRC - C:\Programme\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation) PRC - C:\Programme\CyberLink\Power2Go\CLMLSvc.exe (CyberLink) PRC - C:\Programme\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation) PRC - C:\Programme\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation) PRC - C:\Programme\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE (Microsoft Corporation) PRC - C:\Programme\Common Files\MAGIX Services\Database\bin\FABS.exe (MAGIX AG) PRC - C:\Windows\System32\PSIService.exe () ========== Modules (No Company Name) ========== MOD - C:\Users\***\AppData\Local\Temp\soap0_wsdl.exe () MOD - C:\Windows\System32\Macromed\Flash\NPSWF32_11_3_300_270.dll () MOD - C:\Programme\Mozilla Firefox\mozjs.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\7b7fbe651c6e72f12099a298654c9594\System.Windows.Forms.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6bb439b3f87736d3248ae27d43e2c0d6\System.Drawing.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\03dee80574f4ec770b6f77ca030ded6c\System.Runtime.Remoting.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\46fce56db7685a586d3eeb7c373e3c1c\WindowsBase.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\ba3d70b651454c7d49b407b93663bfed\System.Xml.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\cfa9c506bfb9254c89dace7b83bc9f9d\System.Configuration.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\ce9ff6baf9053ed2ed673d948179195c\System.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\acfc1391e45fedd2a359778ea57d914c\mscorlib.ni.dll () MOD - C:\Programme\OpenOffice.org 3\program\libxml2.dll () MOD - C:\Programme\WinRAR\RarExt.dll () MOD - C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_de_b77a5c561934e089\mscorlib.resources.dll () MOD - C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting.resources\2.0.0.0_de_b77a5c561934e089\System.Runtime.Remoting.resources.dll () MOD - C:\Programme\CyberLink\Power2Go\CLMLSvcPS.dll () MOD - C:\Programme\CyberLink\Power2Go\CLMediaLibrary.dll () ========== Win32 Services (SafeList) ========== SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated) SRV - (MozillaMaintenance) -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation) SRV - (FLEXnet Licensing Service) -- C:\Programme\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Flexera Software, Inc.) SRV - (AntiVirSchedulerService) -- C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG) SRV - (AntiVirWebService) -- C:\Programme\Avira\AntiVir Desktop\avwebgrd.exe (Avira Operations GmbH & Co. KG) SRV - (AntiVirService) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG) SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe (Microsoft Corporation) SRV - (Autodesk Content Service) -- C:\Programme\Autodesk\Content Service\Connect.Service.ContentService.exe (Autodesk, Inc.) SRV - (WMPNetworkSvc) -- C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation) SRV - (IAStorDataMgrSvc) -- C:\Programme\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation) SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation) SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation) SRV - (SeaPort) -- C:\Programme\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation) SRV - (wlidsvc) -- C:\Programme\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation) SRV - (Fabs) -- C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe (MAGIX AG) SRV - (FirebirdServerMAGIXInstance) -- C:\Programme\Common Files\MAGIX Services\Database\bin\fbserver.exe (MAGIX®) SRV - (ProtexisLicensing) -- C:\Windows\System32\PSIService.exe () ========== Driver Services (SafeList) ========== DRV - (fgtdipow) -- C:\Users\***\AppData\Local\Temp\fgtdipow.sys File not found DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH) DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH) DRV - (avkmgr) -- C:\Windows\System32\drivers\avkmgr.sys (Avira GmbH) DRV - (TsUsbFlt) -- C:\Windows\System32\drivers\TsUsbFlt.sys (Microsoft Corporation) DRV - (WinUsb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation) DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation) DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH) DRV - (RTL8192su) -- C:\Windows\System32\drivers\RTL8192su.sys (Realtek Semiconductor Corporation ) DRV - (vwifimp) -- C:\Windows\System32\drivers\vwifimp.sys (Microsoft Corporation) DRV - (WDC_SAM) -- C:\Windows\System32\drivers\wdcsam.sys (Western Digital Technologies) DRV - (hwdatacard) -- C:\Windows\System32\drivers\ewusbmdm.sys (Huawei Technologies Co., Ltd.) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.aldi.com/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://medion.msn.com/ [binary data] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://medion.msn.com/ [binary data] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.avira.com/?l=dis&o=APN10397&gct=hp&dc=EU&locale=de_AT IE - HKCU\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask) IE - HKCU\..\SearchScopes,DefaultScope = {51AD7E33-8B70-4C95-BCA9-0DF859F5190E} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\..\SearchScopes\{51AD7E33-8B70-4C95-BCA9-0DF859F5190E}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&form=MEDTDF&pc=MAMD&src=IE-SearchBox IE - HKCU\..\SearchScopes\{8E151F91-49FC-41A2-B386-AE51C8EAB48C}: "URL" = hxxp://websearch.ask.com/redirect?client=ie&tb=AVR-3&o=APN10397&src=kw&q={searchTerms}&locale=&apn_ptnrs=^ABV&apn_dtid=^YYYYYY^YY^AT&apn_uid=0a216af4-f5d0-4c12-9cb0-268693c7504f&apn_sauid=13D23C7D-50EA-4D38-85E1-A1E9D18A294B IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.defaultengine: "Ask.com" FF - prefs.js..browser.search.defaultenginename: "Ask.com" FF - prefs.js..browser.search.order.1: "Ask.com" FF - prefs.js..browser.search.selectedEngine: "Ask.com" FF - prefs.js..browser.startup.homepage: "hxxp://search.avira.com/?l=dis&o=APN10397&gct=hp&dc=EU&locale=de_AT" FF - prefs.js..keyword.URL: "hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=AVR-3&o=APN10397&locale=de_AT&apn_uid=0a216af4-f5d0-4c12-9cb0-268693c7504f&apn_ptnrs=%5EABV&apn_sauid=13D23C7D-50EA-4D38-85E1-A1E9D18A294B&apn_dtid=%5EYYYYYY%5EYY%5EAT&&q=" FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_270.dll () FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.07.21 15:37:59 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.07.21 15:37:59 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.05.05 22:40:41 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Extensions [2012.08.08 21:09:21 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\0828w9hw.default\extensions [2012.08.08 21:09:29 | 000,000,000 | ---D | M] (Avira SearchFree Toolbar plus Web Protection) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\0828w9hw.default\extensions\toolbar@ask.com [2012.08.08 21:09:29 | 000,002,344 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\0828w9hw.default\searchplugins\askcom.xml [2012.05.05 22:40:25 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions [2012.07.21 15:37:59 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2012.03.13 07:23:34 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.03.13 07:06:36 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012.03.13 07:23:34 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2012.03.13 07:23:34 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2012.03.13 07:23:34 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2012.03.13 07:23:34 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2009.06.10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Programme\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation) O2 - BHO: (Windows Live ID-Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) O2 - BHO: (Avira SearchFree Toolbar plus Web Protection) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask) O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O3 - HKLM\..\Toolbar: (Avira SearchFree Toolbar plus Web Protection) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask) O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe (Ask) O4 - HKLM..\Run: [Autodesk Sync] C:\Programme\Autodesk\Autodesk Sync\AdSync.exe (Autodesk, Inc.) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [CLMLServer] C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe (CyberLink) O4 - HKLM..\Run: [IAStorIcon] C:\Programme\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation) O4 - HKCU..\Run: [Akamai NetSession Interface] C:\Users\***\AppData\Local\Akamai\netsession_win.exe (Akamai Technologies, Inc) O4 - HKCU..\Run: [svhost.exe] C:\Users\***\AppData\Roaming\svhost.exe () O4 - Startup: C:\Users\***\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Programme\OpenOffice.org 3\program\quickstart.exe () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: = O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MIF5BA~1\Office12\EXCEL.EXE/3000 File not found O9 - Extra Button: eBay - Der weltweite Online-Marktplatz - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/5221-29898-17534-1/4 File not found O9 - Extra 'Tools' menuitem : eBay - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/5221-29898-17534-1/4 File not found O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Programme\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Programme\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O13 - gopher Prefix: missing O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool) O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} hxxp://download.microsoft.com/download/7/4/9/749b0dc5-2175-4d5b-a6dd-9c4bc923683e/Selfhelpcontrol.cab (Microsoft Genuine Advantage Self Support Tool) O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22) O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22) O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D512B3E1-DDB5-4E7A-9695-7E5040B2D385}: NameServer = 213.162.69.170 213.162.69.169 O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation) O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation) O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2012.06.17 19:54:46 | 000,000,000 | ---D | M] - C:\Autodesk -- [ NTFS ] O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O32 - AutoRun File - [2007.05.16 19:31:20 | 000,102,400 | R--- | M] (Huawei Technologies Co., Ltd.) - I:\AutoRun.exe -- [ CDFS ] O32 - AutoRun File - [2007.06.25 22:36:04 | 000,000,049 | R--- | M] () - I:\AUTORUN.INF -- [ CDFS ] O33 - MountPoints2\{3fdba3e2-96f2-11e1-aee5-406186789597}\Shell - "" = AutoRun O33 - MountPoints2\{3fdba3e2-96f2-11e1-aee5-406186789597}\Shell\AutoRun\command - "" = K:\AutoRun.exe O33 - MountPoints2\{3fdba3fb-96f2-11e1-aee5-406186789597}\Shell - "" = AutoRun O33 - MountPoints2\{3fdba3fb-96f2-11e1-aee5-406186789597}\Shell\AutoRun\command - "" = K:\AutoRun.exe O33 - MountPoints2\{71dc7541-b84c-11e1-9668-406186789597}\Shell - "" = AutoRun O33 - MountPoints2\{71dc7541-b84c-11e1-9668-406186789597}\Shell\AutoRun\command - "" = J:\Setup.exe O33 - MountPoints2\{c6ae12d6-bb0c-11e1-a136-806e6f6e6963}\Shell - "" = AutoRun O33 - MountPoints2\{c6ae12d6-bb0c-11e1-a136-806e6f6e6963}\Shell\AutoRun\command - "" = I:\AutoRun.exe -- [2007.05.16 19:31:20 | 000,102,400 | R--- | M] (Huawei Technologies Co., Ltd.) O33 - MountPoints2\I\Shell - "" = AutoRun O33 - MountPoints2\I\Shell\AutoRun\command - "" = I:\AutoRun.exe -- [2007.05.16 19:31:20 | 000,102,400 | R--- | M] (Huawei Technologies Co., Ltd.) O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2012.08.10 11:31:05 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\***\Desktop\OTL.exe [2012.08.08 21:09:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira [2012.08.08 21:09:21 | 000,000,000 | ---D | C] -- C:\Program Files\Ask.com [2012.07.28 12:47:00 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Roaming\Tropico 3 [2012.07.12 21:49:05 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb [2012.07.12 21:49:04 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll [2012.07.12 21:49:04 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe [2012.07.12 21:49:04 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll [2012.07.12 21:49:03 | 001,800,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll [2012.07.12 21:49:03 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl [2012.07.12 21:49:03 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll [2012.07.12 14:25:04 | 000,219,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ncrypt.dll [2012.07.12 14:25:03 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msxml3r.dll [2012.07.12 14:25:02 | 000,805,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\cdosys.dll [2012.07.11 18:58:31 | 002,345,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys ========== Files - Modified Within 30 Days ========== [2012.08.10 11:34:35 | 001,180,440 | ---- | M] () -- C:\Users\***\Desktop\ldsw_0paos.pad [2012.08.10 11:33:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2012.08.10 11:31:07 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\***\Desktop\OTL.exe [2012.08.10 11:05:01 | 000,000,000 | ---- | M] () -- C:\Users\***\defogger_reenable [2012.08.10 11:03:46 | 000,302,592 | ---- | M] () -- C:\Users\***\Desktop\sr2fbl4q.exe [2012.08.10 11:03:36 | 000,009,888 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2012.08.10 11:03:36 | 000,009,888 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2012.08.10 11:01:50 | 000,050,477 | ---- | M] () -- C:\Users\***\Desktop\Defogger.exe [2012.08.10 11:00:46 | 000,696,132 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2012.08.10 11:00:46 | 000,651,450 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2012.08.10 11:00:46 | 000,147,428 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2012.08.10 11:00:46 | 000,120,382 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2012.08.10 10:56:01 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.08.10 10:55:54 | 2408,927,232 | -HS- | M] () -- C:\hiberfil.sys [2012.08.09 22:16:42 | 000,001,895 | ---- | M] () -- C:\Users\***\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk [2012.08.08 21:09:31 | 000,002,020 | ---- | M] () -- C:\Users\Public\Desktop\Avira Control Center.lnk [2012.08.06 20:31:47 | 000,017,821 | ---- | M] () -- C:\Users\***\Documents\ich will bucay.odt [2012.08.03 20:33:45 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe [2012.08.03 20:33:45 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl [2012.07.12 14:19:30 | 000,465,608 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT ========== Files Created - No Company Name ========== [2012.08.10 11:05:01 | 000,000,000 | ---- | C] () -- C:\Users\***\defogger_reenable [2012.08.10 11:03:45 | 000,302,592 | ---- | C] () -- C:\Users\***\Desktop\sr2fbl4q.exe [2012.08.10 11:01:49 | 000,050,477 | ---- | C] () -- C:\Users\***\Desktop\Defogger.exe [2012.08.10 10:53:14 | 001,180,440 | ---- | C] () -- C:\Users\*\Desktop\ldsw_0paos.pad [2012.08.09 22:16:42 | 000,001,895 | ---- | C] () -- C:\Users\***\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk [2012.08.06 20:31:44 | 000,017,821 | ---- | C] () -- C:\Users\***\Documents\ich will bucay.odt [2012.06.17 20:36:52 | 000,002,560 | RHS- | C] () -- C:\Users\***\AppData\Roaming\svhost.exe [2012.06.17 20:25:52 | 000,000,147 | ---- | C] () -- C:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc < End of report > Extras: OTL Logfile: Code:
ATTFilter OTL Extras logfile created on: 10.08.2012 11:32:52 - Run 7
OTL by OldTimer - Version 3.2.56.0 Folder = C:\Users\***\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000C07 | Country: Österreich | Language: DEA | Date Format: dd.MM.yyyy
2,99 Gb Total Physical Memory | 1,81 Gb Available Physical Memory | 60,40% Memory free
5,98 Gb Paging File | 4,69 Gb Available in Paging File | 78,36% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 910,41 Gb Total Space | 836,01 Gb Free Space | 91,83% Space Free | Partition Type: NTFS
Drive D: | 20,00 Gb Total Space | 8,76 Gb Free Space | 43,79% Space Free | Partition Type: NTFS
Drive I: | 7,27 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
Computer Name: HPC | User Name: ***| Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- Reg Error: Value error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{653816A0-9F9D-4155-BBA4-E8024CF5A18A}" = lport=50248 | protocol=6 | dir=in | name=autodesk content service |
"{8C25EF05-5674-44B5-BAB1-05F082465BD5}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{9CC5E7AA-2476-493D-9D7A-14BA1477B1E3}" = lport=2869 | protocol=6 | dir=in | app=system |
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0578C8F4-12EC-4882-A0B3-3DF803AF374B}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
"{A07E18C2-055E-4491-AFE5-FFAC7368B936}" = protocol=17 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"{D65A4564-FD35-4AB9-A2F8-400F549BEC7D}" = protocol=6 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"{E05DE648-7B13-4AAE-9DEF-AF02547E3415}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |
"{E6C1657C-996A-4F2A-885C-E273754B0741}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"TCP Query User{3E620640-9684-450B-91C3-11372F3BC195}C:\users\***\appdata\local\akamai\netsession_win.exe" = protocol=6 | dir=in | app=c:\users\***\appdata\local\akamai\netsession_win.exe |
"UDP Query User{C8494063-BA5B-41A2-B22A-16C9BE432B63}C:\users\***\appdata\local\akamai\netsession_win.exe" = protocol=17 | dir=in | app=c:\users\***\appdata\local\akamai\netsession_win.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"_{ADDBE07D-95B8-4789-9C76-187FFF9624B4}" = CorelDRAW Essential Edition 3
"{0673654C-5296-453B-9798-B61CD7E03FEB}" = SES Driver
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{10A44844-4465-456E-8C97-80BDD4F68845}" = Windows Live ID-Anmelde-Assistent
"{117EBEEB-5DB0-43C8-9FD6-DD583DB152DD}" = Autodesk Material Library 2013
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java(TM) 6 Update 22
"{2BA722D1-48D1-406E-9123-8AE5431D63EF}" = Windows Live Fotogalerie
"{39D0E034-1042-4905-BECB-5502909FCB7C}" = Microsoft Works
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel(R) Rapid Storage Technology
"{3E6F0CAD-EE38-42A5-9EEA-AE17A55BF2D4}" = Firebird SQL Server - MAGIX Edition
"{3EFEF049-23D4-4B46-8903-4592FEA51018}" = Windows Live Movie Maker
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
"{41E654A9-26D0-4EAC-854B-0FA824FFFABB}" = Windows Live Messenger
"{4286716B-1287-48E7-9078-3DC8248DBA96}" = OpenOffice.org 3.3
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{5783F2D7-B001-0000-0002-0060B0CE6BBA}" = AutoCAD 2013 - Deutsch (German)
"{5783F2D7-B001-0407-1002-0060B0CE6BBA}" = AutoCAD 2013 Language Pack - Deutsch (German)
"{5783F2D7-B001-0407-2002-0060B0CE6BBA}" = AutoCAD 2013 - Deutsch (German)
"{5FC68772-6D56-41C6-9DF1-24E868198AE6}" = Windows Live Call
"{606E12B9-641F-4644-A22A-FF38AE980AFD}" = Autodesk Material Library Base Resolution Image Library 2013
"{62F029AB-85F2-0000-866A-9FC0DD99DDBC}" = Autodesk Content Service
"{62F029AB-85F2-0001-866A-9FC0DD99DDBC}" = Autodesk Content Service Language Pack
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{70B7A167-0B88-445D-A3EA-97C73AA88CAC}" = Windows Live Toolbar
"{76618402-179D-4699-A66B-D351C59436BC}" = Windows Live Sync
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{82C1E6E4-6718-4EFD-9DCC-E276D690EF46}" = Autodesk Inventor Fusion Plugin for AutoCAD 2013
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{951B0F30-9F1A-4BF6-B3DA-99EB0E917B1C}" = FARO LS 1.1.406.58
"{A062A15F-9CAC-4B88-98DF-87628A0BD721}" = Corel MediaOne
"{A334F1BA-0A1D-4ED6-B4F9-4066157CA15D}" = DE
"{AC76BA86-7AD7-1031-7B44-A95000000001}" = Adobe Reader 9.5.1 - Deutsch
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{ADDBE07D-95B8-4789-9C76-187FFF9624B4}" = CorelDRAW Essential Edition 3
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{BAC80EF3-E106-4AEA-8C57-F217F9BC7358}" = Microsoft SQL Server 2005 Compact Edition [DEU]
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C4D738F7-996A-4C81-B8FA-C4E26D767E41}" = Windows Live Mail
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = CyberLink LabelPrint
"{E0A4805D-280A-4DD7-9E74-3A5F85E302A1}" = Windows Live Writer
"{E10DB5DA-E576-40EA-A7FC-1CB2A7B283A6}" = NVIDIA PhysX
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E3D04529-6EDB-11D8-A372-0050BAE317E1}" = CyberLink PowerDVD Copy
"{EE5F74BC-5CD5-4EF2-86BA-81E6CF46A18F}" = Autodesk Sync
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}" = Update Manager
"{F8FF18EE-264A-43FD-B2F6-5EAD40798C2F}" = Windows Live Essentials
"{FE2F4875-095C-427C-9A97-4F8DE05ACF22}" = Autodesk Inventor Fusion Plugin Language Pack for AutoCAD 2013
"{FFF5619F-2013-0032-A85E-9994F70A9E5D}" = Autodesk Inventor Fusion 2013
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AutoCAD 2013 - Deutsch (German)" = AutoCAD 2013 - Deutsch (German)
"Autodesk Content Service" = Autodesk Content Service
"Autodesk Inventor Fusion 2013" = Autodesk Inventor Fusion 2013
"Autodesk Inventor Fusion Plugin for AutoCAD 2013" = Autodesk Inventor Fusion plug-in for AutoCAD 2013
"Avira AntiVir Desktop" = Avira Free Antivirus
"BitTorrent" = BitTorrent
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
"InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = CyberLink LabelPrint
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Mozilla Firefox 14.0.1 (x86 de)" = Mozilla Firefox 14.0.1 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"TOTO PC-SYSTEM" = TOTO PC-SYSTEM
"Tropico3" = Tropico 3: Absolute Power
"VirtualCloneDrive" = VirtualCloneDrive
"web'n'walk Manager 1.6" = web'n'walk Manager 1.6
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR 4.11 (32-Bit)
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{79A765E1-C399-405B-85AF-466F52E918B0}" = Avira SearchFree Toolbar plus Web Protection Updater
"Akamai" = Akamai NetSession Interface
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 04.08.2012 07:46:01 | Computer Name = HPC | Source = RasClient | ID = 20227
Description =
Error - 04.08.2012 07:46:15 | Computer Name = HPC | Source = RasClient | ID = 20227
Description =
Error - 04.08.2012 14:40:39 | Computer Name = HPC | Source = RasClient | ID = 20227
Description =
Error - 04.08.2012 14:41:00 | Computer Name = HPC | Source = RasClient | ID = 20227
Description =
Error - 04.08.2012 14:41:39 | Computer Name = HPC | Source = RasClient | ID = 20227
Description =
Error - 05.08.2012 08:06:13 | Computer Name = HPC | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: FlashPlayerPlugin_11_3_300_270.exe,
Version: 11.3.300.270, Zeitstempel: 0x50198027 Name des fehlerhaften Moduls: NPSWF32_11_3_300_270.dll,
Version: 11.3.300.270, Zeitstempel: 0x5019828e Ausnahmecode: 0xc0000005 Fehleroffset:
0x0066ea8a ID des fehlerhaften Prozesses: 0x544 Startzeit der fehlerhaften Anwendung:
0x01cd7302a36d18ba Pfad der fehlerhaften Anwendung: C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe
Pfad
des fehlerhaften Moduls: C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_270.dll
Berichtskennung:
f34aa4d3-def5-11e1-902c-406186789597
Error - 06.08.2012 10:23:44 | Computer Name = HPC | Source = SideBySide | ID = 16842811
Description = Fehler beim Generieren des Aktivierungskontextes für "c:\program files\microsoft\search
enhancement pack\search helper\sepsearchhelperie.dll". Fehler in Manifest- oder
Richtliniendatei "c:\program files\microsoft\search enhancement pack\search helper\sepsearchhelperie.dll"
in Zeile 2. Ungültige XML-Syntax.
Error - 07.08.2012 13:27:21 | Computer Name = HPC | Source = SideBySide | ID = 16842811
Description = Fehler beim Generieren des Aktivierungskontextes für "c:\program files\microsoft\search
enhancement pack\search helper\sepsearchhelperie.dll". Fehler in Manifest- oder
Richtliniendatei "c:\program files\microsoft\search enhancement pack\search helper\sepsearchhelperie.dll"
in Zeile 2. Ungültige XML-Syntax.
Error - 08.08.2012 13:56:48 | Computer Name = HPC | Source = RasClient | ID = 20227
Description =
Error - 09.08.2012 09:02:29 | Computer Name = HPC | Source = SideBySide | ID = 16842811
Description = Fehler beim Generieren des Aktivierungskontextes für "c:\program files\microsoft\search
enhancement pack\search helper\sepsearchhelperie.dll". Fehler in Manifest- oder
Richtliniendatei "c:\program files\microsoft\search enhancement pack\search helper\sepsearchhelperie.dll"
in Zeile 2. Ungültige XML-Syntax.
[ System Events ]
Error - 05.05.2012 16:36:04 | Computer Name = WIN-ATSHSQEKCIB | Source = Service Control Manager | ID = 7022
Description = Der Dienst "BullGuard File Scan Service" wurde nicht richtig gestartet.
Error - 05.05.2012 16:36:07 | Computer Name = WIN-ATSHSQEKCIB | Source = Service Control Manager | ID = 7022
Description = Der Dienst "BullGuard Firewall Service" wurde nicht richtig gestartet.
Error - 05.05.2012 16:36:09 | Computer Name = WIN-ATSHSQEKCIB | Source = Service Control Manager | ID = 7022
Description = Der Dienst "BullGuard Email Monitoring Service" wurde nicht richtig
gestartet.
Error - 05.05.2012 15:51:32 | Computer Name = HPC | Source = Service Control Manager | ID = 7022
Description = Der Dienst "BullGuard File Scan Service" wurde nicht richtig gestartet.
Error - 05.05.2012 15:51:35 | Computer Name = HPC | Source = Service Control Manager | ID = 7022
Description = Der Dienst "BullGuard Firewall Service" wurde nicht richtig gestartet.
Error - 05.05.2012 15:51:37 | Computer Name = HPC | Source = Service Control Manager | ID = 7022
Description = Der Dienst "BullGuard Email Monitoring Service" wurde nicht richtig
gestartet.
Error - 05.05.2012 17:08:46 | Computer Name = HPC | Source = Service Control Manager | ID = 7023
Description = Der Dienst "Windows Modules Installer" wurde mit folgendem Fehler
beendet: %%16405
Error - 05.05.2012 19:11:18 | Computer Name = HPC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installationsfehler: Die Installation des folgenden Updates ist mit
Fehler 0x80070643 fehlgeschlagen: Windows Internet Explorer 9 für Windows 7
Error - 06.05.2012 06:19:19 | Computer Name = HPC | Source = DCOM | ID = 10010
Description =
< End of report >
Gmer: GMER Logfile: Code:
ATTFilter GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-08-10 11:50:23
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD10 rev.80.0
Running: sr2fbl4q.exe; Driver: C:\Users\FAMILY\AppData\Local\Temp\fgtdipow.sys
---- System - GMER 1.0.15 ----
SSDT 904539CE ZwCreateSection
SSDT 904539D8 ZwRequestWaitReplyPort
SSDT 904539D3 ZwSetContextThread
SSDT 904539DD ZwSetSecurityObject
SSDT 904539E2 ZwSystemDebugControl
SSDT 9045396F ZwTerminateProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 836873C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 836C0D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 836C7EAC 4 Bytes [CE, 39, 45, 90] {INTO ; CMP [EBP-0x70], EAX}
.text ntkrnlpa.exe!KeRemoveQueueEx + 1553 836C8208 4 Bytes [D8, 39, 45, 90] {FDIVR DWORD [ECX]; INC EBP; NOP }
.text ntkrnlpa.exe!KeRemoveQueueEx + 1597 836C824C 4 Bytes [D3, 39, 45, 90] {SAR DWORD [ECX], CL; INC EBP; NOP }
.text ntkrnlpa.exe!KeRemoveQueueEx + 1613 836C82C8 4 Bytes [DD, 39, 45, 90] {FNSTSW [ECX]; INC EBP; NOP }
.text ntkrnlpa.exe!KeRemoveQueueEx + 1667 836C831C 4 Bytes [E2, 39, 45, 90] {LOOP 0x3b; INC EBP; NOP }
.text ...
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Internet Explorer\iexplore.exe[260] kernel32.dll!CreateThread 75FEDCC2 5 Bytes JMP 676A75CB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!EnableWindow 76128D02 5 Bytes JMP 676E9EAC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!CallNextHookEx 7612ABE1 5 Bytes JMP 67707FDF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!UnhookWindowsHookEx 7612ADF9 5 Bytes JMP 6772ECE0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!DefWindowProcA 7612BB1C 7 Bytes JMP 676A97F5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!CreateWindowExA 7612BF40 5 Bytes JMP 676B362B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!SetWindowsHookExW 7612E30C 5 Bytes JMP 676E25AC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!CreateWindowExW 7612EC7C 5 Bytes JMP 677103B7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!DefWindowProcW 7613507D 7 Bytes JMP 67708042 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!DialogBoxParamW 76143B9B 5 Bytes JMP 6764187B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!DialogBoxIndirectParamW 76153B7F 5 Bytes JMP 67838D86 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!DialogBoxParamA 7616CF42 5 Bytes JMP 67838D21 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!DialogBoxIndirectParamA 7616D274 5 Bytes JMP 67838DEB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!MessageBoxIndirectA 7617E869 5 Bytes JMP 67838CA8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!MessageBoxIndirectW 7617E963 5 Bytes JMP 67838C2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!MessageBoxExA 7617E9C9 5 Bytes JMP 67838BCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] USER32.dll!MessageBoxExW 7617E9ED 5 Bytes JMP 67838B67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] ole32.dll!OleLoadFromStream 76436143 5 Bytes JMP 6783955F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] WS2_32.dll!closesocket 75E33918 5 Bytes JMP 5D78EEE9 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] WS2_32.dll!socket 75E33EB8 5 Bytes JMP 5D78E59E C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] WS2_32.dll!getaddrinfo 75E34296 5 Bytes JMP 5D78E71D C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] WS2_32.dll!recv 75E36B0E 5 Bytes JMP 5D78F1C3 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] WS2_32.dll!connect 75E36BDD 5 Bytes JMP 5D78E62A C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[260] WS2_32.dll!send 75E36F01 5 Bytes JMP 5D78E9ED C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2196] USER32.dll!EnableWindow 76128D02 5 Bytes JMP 676E9EAC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2196] USER32.dll!DialogBoxParamW 76143B9B 5 Bytes JMP 6764187B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2196] USER32.dll!DialogBoxIndirectParamW 76153B7F 5 Bytes JMP 67838D86 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2196] USER32.dll!DialogBoxParamA 7616CF42 5 Bytes JMP 67838D21 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2196] USER32.dll!DialogBoxIndirectParamA 7616D274 5 Bytes JMP 67838DEB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2196] USER32.dll!MessageBoxIndirectA 7617E869 5 Bytes JMP 67838CA8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2196] USER32.dll!MessageBoxIndirectW 7617E963 5 Bytes JMP 67838C2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2196] USER32.dll!MessageBoxExA 7617E9C9 5 Bytes JMP 67838BCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2196] USER32.dll!MessageBoxExW 7617E9ED 5 Bytes JMP 67838B67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4416] ntdll.dll!LdrGetProcedureAddress + 26 77402239 7 Bytes JMP 57BAB52A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4416] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 75FE93D6 7 Bytes JMP 57E5B6D2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4416] kernel32.dll!QueryPerformanceCounter + 13 75FEC435 7 Bytes JMP 57E5B6F5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4416] GDI32.dll!GetViewportOrgEx + 26C 7662884B 7 Bytes JMP 57E5B653 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5288] USER32.dll!GetWindowInfo 76134B5E 5 Bytes JMP 57D2BACC C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5288] USER32.dll!ToUnicodeEx + 71 76142223 7 Bytes JMP 57D2C0F9 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtCreateFile + 6 773E55CE 4 Bytes [28, 00, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtCreateFile + B 773E55D3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtCreateKey + 6 773E560E 4 Bytes [68, 01, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtCreateKey + B 773E5613 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtCreateMutant + 6 773E564E 4 Bytes [68, 02, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtCreateMutant + B 773E5653 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtCreateSection + 6 773E56EE 4 Bytes [A8, 02, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtCreateSection + B 773E56F3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtMapViewOfSection + B 773E5C33 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtOpenFile + 6 773E5CDE 4 Bytes [68, 00, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtOpenFile + B 773E5CE3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtOpenKey + 6 773E5D0E 4 Bytes [A8, 01, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtOpenKey + B 773E5D13 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtOpenKeyEx + B 773E5D23 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtOpenMutant + 6 773E5D5E 4 Bytes [28, 02, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtOpenMutant + B 773E5D63 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtOpenProcess + 6 773E5D8E 1 Byte [68]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtOpenProcess + 6 773E5D8E 4 Bytes [68, 03, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtOpenProcess + B 773E5D93 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtOpenProcessToken + 6 773E5D9E 1 Byte [A8]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtOpenProcessToken + 6 773E5D9E 4 Bytes [A8, 03, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtOpenProcessToken + B 773E5DA3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtOpenProcessTokenEx + 6 773E5DAE 4 Bytes [68, 04, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtOpenProcessTokenEx + B 773E5DB3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtOpenSection + B 773E5DD3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtOpenThread + 6 773E5E0E 1 Byte [28]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtOpenThread + 6 773E5E0E 4 Bytes [28, 03, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtOpenThread + B 773E5E13 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtOpenThreadToken + 6 773E5E1E 4 Bytes [28, 04, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtOpenThreadToken + B 773E5E23 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtOpenThreadTokenEx + 6 773E5E2E 4 Bytes [A8, 04, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtOpenThreadTokenEx + B 773E5E33 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtQueryAttributesFile + 6 773E5F3E 4 Bytes [A8, 00, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtQueryAttributesFile + B 773E5F43 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtQueryFullAttributesFile + B 773E5FF3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtSetInformationFile + 6 773E663E 4 Bytes [28, 01, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtSetInformationFile + B 773E6643 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtSetInformationThread + 6 773E669E 1 Byte [E8]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtSetInformationThread + B 773E66A3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtUnmapViewOfSection + 6 773E69BE 4 Bytes [28, 05, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ntdll.dll!NtUnmapViewOfSection + B 773E69C3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] kernel32.dll!CreateProcessW 75FA204D 5 Bytes JMP 00010030
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] kernel32.dll!CreateProcessA 75FA2082 5 Bytes JMP 00010070
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!DeleteObject 76625F14 5 Bytes JMP 001101B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!SelectObject 76626640 5 Bytes JMP 001105F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!SetTextColor 76626906 5 Bytes JMP 001109F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!SetBkMode 766269B1 5 Bytes JMP 001108B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!DeleteDC 76626EAA 5 Bytes JMP 00110170
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!GetDeviceCaps 76626F7F 5 Bytes JMP 001103B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!ExtSelectClipRgn 76627114 5 Bytes JMP 001102F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!SelectClipRgn 76627242 5 Bytes JMP 001105B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!SetStretchBltMode 76627705 5 Bytes JMP 00110670
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!GetCurrentObject 76627917 5 Bytes JMP 00110370
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!GetTextMetricsW 76627B8F 5 Bytes JMP 00110DF0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!GetTextAlign 76627DAF 5 Bytes JMP 00110D30
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!IntersectClipRect 76627DFE 5 Bytes JMP 001103F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!ExtTextOutW 76628192 5 Bytes JMP 00110930
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!SetTextAlign 7662828E 5 Bytes JMP 001109B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!GetClipBox 76628525 5 Bytes JMP 00110330
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!MoveToEx 76628C21 5 Bytes JMP 00110470
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!StretchDIBits 7662A53E 5 Bytes JMP 00110730
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!RestoreDC 7662A67B 5 Bytes JMP 00110530
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!SaveDC 7662A74B 5 Bytes JMP 00110570
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!GetTextExtentPoint32W 7662B4B5 5 Bytes JMP 00110630
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!GetTextFaceW 7662B73A 2 Bytes JMP 00110CF0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!GetTextFaceW + 3 7662B73D 2 Bytes [AE, 89]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!GetFontData 7662BCC4 5 Bytes JMP 00110C30
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!SetWorldTransform 7662C90A 5 Bytes JMP 001106B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!CreateDCA 7662CCA9 5 Bytes JMP 001100B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!CreateDCW 7662CF79 5 Bytes JMP 001100F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!CreateICW 7662CFD0 5 Bytes JMP 00110130
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!GetTextMetricsA 7662D0F2 5 Bytes JMP 00110DB0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!Rectangle 7662F1FF 5 Bytes JMP 00110970
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!LineTo 7662F59B 5 Bytes JMP 00110430
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!SetICMMode 7662FAA4 5 Bytes JMP 00110D70
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!ExtTextOutA 766303F9 5 Bytes JMP 001108F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!ExtEscape 76632949 5 Bytes JMP 001102B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!Escape 76633939 5 Bytes JMP 00110270
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!GetTextFaceA 76633E6A 5 Bytes JMP 00110CB0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!SetPolyFillMode 7663D851 5 Bytes JMP 00110AF0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!SetMiterLimit 7663DA0D 5 Bytes JMP 00110B30
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!EndPage 766400D7 5 Bytes JMP 00110230
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!ResetDCW 7664050D 5 Bytes JMP 00110A70
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!GetGlyphOutlineW 7664C1BA 5 Bytes JMP 00110C70
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!CreateScalableFontResourceW 7664E817 5 Bytes JMP 00110B70
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!AddFontResourceW 7664EC13 5 Bytes JMP 00110BB0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!RemoveFontResourceW 7664F109 5 Bytes JMP 00110BF0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!AbortDoc 76654C63 5 Bytes JMP 00110030
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!EndDoc 766550AA 5 Bytes JMP 001101F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!StartPage 76655195 5 Bytes JMP 001106F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!StartDocW 76655BB0 5 Bytes JMP 001107B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!BeginPath 7665635D 5 Bytes JMP 001107F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!SelectClipPath 766563B4 5 Bytes JMP 00110AB0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!CloseFigure 7665640F 5 Bytes JMP 00110070
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!EndPath 76656466 5 Bytes JMP 00110A30
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!StrokePath 76656699 5 Bytes JMP 00110770
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!FillPath 76656726 5 Bytes JMP 00110830
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!PolylineTo 76656B94 5 Bytes JMP 001104F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!PolyBezierTo 76656C25 5 Bytes JMP 001104B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] GDI32.dll!PolyDraw 76656CD7 5 Bytes JMP 00110870
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!ActivateKeyboardLayout 76128203 5 Bytes JMP 001204F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!ScreenToClient 7612A506 7 Bytes JMP 00120670
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!RegisterClipboardFormatA 7612C091 5 Bytes JMP 001202F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!RegisterClipboardFormatW 7612DF8D 5 Bytes JMP 001202B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!SetCursor 76133075 5 Bytes JMP 00120530
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!MonitorFromWindow 76133622 7 Bytes JMP 00120630
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!PostMessageW 7613447B 5 Bytes JMP 001205F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!IsWindowVisible 76134D69 7 Bytes JMP 001206B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!GetClientRect 761354DD 7 Bytes JMP 001205B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!MapWindowPoints 76135CAA 5 Bytes JMP 00120570
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!GetParent 76136029 7 Bytes JMP 001206F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!EmptyClipboard 7614290C 5 Bytes JMP 00120130
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!SetClipboardData 76142962 5 Bytes JMP 00120170
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!GetClipboardData 76142BA7 5 Bytes JMP 00120030
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!GetClipboardFormatNameW 76145FD2 5 Bytes JMP 00120230
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!SetClipboardViewer 76146FF6 5 Bytes JMP 001204B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!GetClipboardFormatNameA 7614700A 5 Bytes JMP 00120270
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!ChangeClipboardChain 7615147C 5 Bytes JMP 00120430
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!GetTopWindow 761524D9 7 Bytes JMP 00120730
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!CloseClipboard 7615446C 5 Bytes JMP 001200B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!OpenClipboard 7615447E 5 Bytes JMP 00120070
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!IsClipboardFormatAvailable 761544FF 5 Bytes JMP 001200F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!GetClipboardSequenceNumber 76154513 5 Bytes JMP 00120330
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!GetClipboardOwner 76154525 5 Bytes JMP 00120370
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!CountClipboardFormats 7615470A 5 Bytes JMP 001201F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!EnumClipboardFormats 761547EC 5 Bytes JMP 001201B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!GetOpenClipboardWindow 7615480B 5 Bytes JMP 001203F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!SetCursorPos 7616C1B0 5 Bytes JMP 00120770
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!GetClipboardViewer 76184AF7 5 Bytes JMP 00120470
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] USER32.dll!GetPriorityClipboardFormat 76184BF9 5 Bytes JMP 001203B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ole32.dll!OleSetClipboard 76490045 5 Bytes JMP 00130030
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ole32.dll!OleIsCurrentClipboard 764936B2 5 Bytes JMP 00130070
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[5572] ole32.dll!OleGetClipboard 764BFDCD 5 Bytes JMP 001300B0
---- Devices - GMER 1.0.15 ----
Device \Driver\ACPI_HAL \Device\00000046 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
Mit bestem Dank im Voraus MfG lowki |
|
10.08.2012, 15:38
| #2 |
| /// Helfer-Team  | Polizei-Trojaner Österreich Fixen mit OTL Lade (falls noch nicht vorhanden) OTL von Oldtimer herunter und speichere es auf Deinem Desktop (nicht woanders hin).
Ersetze die *** Sternchen wieder in den Benutzernamen zurück! Code:
ATTFilter :OTL
MOD - C:\Users\***\AppData\Local\Temp\soap0_wsdl.exe ()
DRV - (fgtdipow) -- C:\Users\***\AppData\Local\Temp\fgtdipow.sys File not found
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKCU\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask)
IE - HKCU\..\SearchScopes,DefaultScope = {51AD7E33-8B70-4C95-BCA9-0DF859F5190E}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{51AD7E33-8B70-4C95-BCA9-0DF859F5190E}: "URL" = http://www.bing.com/search?q={searchTerms}&form=MEDTDF&pc=MAMD&src=IE-SearchBox
IE - HKCU\..\SearchScopes\{8E151F91-49FC-41A2-B386-AE51C8EAB48C}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=AVR-3&o=APN10397&src=kw&q={searchTerms}&locale=&apn_ptnrs=^ABV&apn_dtid=^YYYYYY^YY^AT&apn_uid=0a216af4-f5d0-4c12-9cb0-268693c7504f&apn_sauid=13D23C7D-50EA-4D38-85E1-A1E9D18A294B
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..browser.startup.homepage: "http://search.avira.com/?l=dis&o=APN10397&gct=hp&dc=EU&locale=de_AT"
FF - prefs.js..keyword.URL: "http://websearch.ask.com/redirect?client=ff&src=kw&tb=AVR-3&o=APN10397&locale=de_AT&apn_uid=0a216af4-f5d0-4c12-9cb0-268693c7504f&apn_ptnrs=%5EABV&apn_sauid=13D23C7D-50EA-4D38-85E1-A1E9D18A294B&apn_dtid=%5EYYYYYY%5EYY%5EAT&&q="
FF - user.js - File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Avira SearchFree Toolbar plus Web Protection) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (Avira SearchFree Toolbar plus Web Protection) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe (Ask)
O4 - HKCU..\Run: [Akamai NetSession Interface] C:\Users\***\AppData\Local\Akamai\netsession_win.exe (Akamai Technologies, Inc)
O4 - HKCU..\Run: [svhost.exe] C:\Users\***\AppData\Roaming\svhost.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MIF5BA~1\Office12\EXCEL.EXE/3000 File not found
O9 - Extra Button: eBay - Der weltweite Online-Marktplatz - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - http://rover.ebay.com/rover/1/5221-29898-17534-1/4 File not found
O9 - Extra 'Tools' menuitem : eBay - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - http://rover.ebay.com/rover/1/5221-29898-17534-1/4 File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2007.06.25 22:36:04 | 000,000,049 | R--- | M] () - I:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{3fdba3e2-96f2-11e1-aee5-406186789597}\Shell - "" = AutoRun
O33 - MountPoints2\{3fdba3e2-96f2-11e1-aee5-406186789597}\Shell\AutoRun\command - "" = K:\AutoRun.exe
O33 - MountPoints2\{3fdba3fb-96f2-11e1-aee5-406186789597}\Shell - "" = AutoRun
O33 - MountPoints2\{3fdba3fb-96f2-11e1-aee5-406186789597}\Shell\AutoRun\command - "" = K:\AutoRun.exe
O33 - MountPoints2\{71dc7541-b84c-11e1-9668-406186789597}\Shell - "" = AutoRun
O33 - MountPoints2\{71dc7541-b84c-11e1-9668-406186789597}\Shell\AutoRun\command - "" = J:\Setup.exe
O33 - MountPoints2\{c6ae12d6-bb0c-11e1-a136-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{c6ae12d6-bb0c-11e1-a136-806e6f6e6963}\Shell\AutoRun\command - "" = I:\AutoRun.exe -- [2007.05.16 19:31:20 | 000,102,400 | R--- | M] (Huawei Technologies Co., Ltd.)
O33 - MountPoints2\I\Shell - "" = AutoRun
O33 - MountPoints2\I\Shell\AutoRun\command - "" = I:\AutoRun.exe -- [2007.05.16 19:31:20 | 000,102,400 | R--- | M] (Huawei Technologies Co., Ltd.)
[2012.08.10 11:03:46 | 000,302,592 | ---- | M] () -- C:\Users\***\Desktop\sr2fbl4q.exe
[2012.08.09 22:16:42 | 000,001,895 | ---- | M] () -- C:\Users\***\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk
[2012.06.17 20:36:52 | 000,002,560 | RHS- | C] () -- C:\Users\***\AppData\Roaming\svhost.exe
[2012.08.08 21:09:21 | 000,000,000 | ---D | C] -- C:\Program Files\Ask.com
[2012.08.10 11:34:35 | 001,180,440 | ---- | M] () -- C:\Users\***\Desktop\ldsw_0paos.pad
[2012.08.10 11:33:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012.08.10 11:03:36 | 000,009,888 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.08.10 11:03:36 | 000,009,888 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.08.10 10:53:14 | 001,180,440 | ---- | C] () -- C:\Users\*\Desktop\ldsw_0paos.pad
:Files
ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[emptyflash]
Hinweis für Mitleser: Obiges OTL-Script ist ausschließlich für diesen User in dieser Situtation erstellt worden. Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen!
__________________ |
|
11.08.2012, 20:22
| #3 | |
| | Polizei-Trojaner Österreich Hallo,
__________________Danke für deine Hilfe! Script wurde ausgefürt, System neu gestartet, und es kommt schon einmal nicht mehr der "Polizei-Bildschirm". Es erschien auch ein Fenster von Windows, welches mich zu folgender Seite weiterleitete: hxxp://www.microsoft.com/genuine/validate/DownloadValidationSupport.aspx?displaylang=de&sGuid=25deebb0-fd9d-4e73-842c-48a0dcff8ffd&OSV=6.1.7601.2.00010300.1.0.003.00.1031&LS=2&LegitCheckError=C004D301&GenuineInfo=00000000&Channel=1&ErrCode=00000000 Um eines vorweg zu nehmen, es handelt sich hierbei hundertprozentig um Original Software, der virenbefallene PC ist ein Medion PC aus dem Jahre 2009. Hier das Log-File: Zitat:
|
|
11.08.2012, 20:36
| #4 |
| /// Helfer-Team | Polizei-Trojaner Österreich Sehr gut!  Wie laeuft der Rechner? 1. Schritt Bitte einen Vollscan mit Malwarebytes Anti-Malware machen und Log posten.danach: 2. Schritt Downloade Dir bitte AdwCleaner auf deinen Desktop.
|
|
12.08.2012, 10:08
| #5 | ||
| | Polizei-Trojaner Österreich Hallo, Danke für die schnellen Antworten! Rechner läuft sehr gut, ich merk nix von Leistungseinbußen o. Ä. Hier die beiden Logs: Malwarebytes: Zitat:
Zitat:
Geändert von lowki (12.08.2012 um 10:18 Uhr) |
|
12.08.2012, 13:31
| #6 |
| /// Helfer-Team | Polizei-Trojaner Österreich Sehr gut!
danach: Malware-Scan mit Emsisoft Anti-Malware Lade die Gratisversion von => Emsisoft Anti-Malware herunter und installiere das Programm. Lade über Jetzt Updaten die aktuellen Signaturen herunter. Wähle den Freeware-Modus aus. Wähle Detail Scan und starte über den Button Scan die Überprüfung des Computers. Am Ende des Scans nichts loeschen lassen!. Mit Klick auf Bericht speichern das Logfile auf dem Desktop speichern und hier in den Thread posten. Anleitung: http://www.trojaner-board.de/103809-...i-malware.html
__________________ --> Polizei-Trojaner Österreich |
|
12.08.2012, 14:06
| #7 |
| /// Winkelfunktion /// TB-Süch-Tiger™  | Polizei-Trojaner ÖsterreichCode:
ATTFilter C:\stefanos\Windows Programme\Google SketchUp Pro 8.0.3117\SketchUp 8\keygen\keygen.exe (RiskWare.Tool.CK)
__________________ Logfiles bitte immer in CODE-Tags posten |
|
26.09.2012, 12:42
| #8 |
| /// Helfer-Team | Polizei-Trojaner Österreich Fehlende Rückmeldung Gibt es Probleme beim Abarbeiten obiger Anleitung? Um Kapazitäten für andere Hilfesuchende freizumachen, lösche ich dieses Thema aus meinen Benachrichtigungen. Solltest Du weitermachen wollen, schreibe mir eine PN oder eröffne ein neues Thema. http://www.trojaner-board.de/69886-a...-beachten.html Hinweis: Das Verschwinden der Symptome bedeutet nicht, dass Dein Rechner sauber ist. |
|
| Themen zu Polizei-Trojaner Österreich |
| akamai, antivir, autorun, avira, avira searchfree toolbar, bho, bildschirm, cursor, desktop, email, error, firefox, flash player, getwindowinfo, helper, home, iexplore.exe, install.exe, internet, locker, logfile, mozilla, ntdll.dll, ntopenkeyex, plug-in, realtek, registry, richtlinie, scan, security, software, svchost.exe, taskhost.exe, windows, windows internet |
Linear-Darstellung
