Malwarebytes Anti-Maleware findet 1 infiziert Objekt stürtz aber beim Scannen ab + Superfish.com im FF NoScript Add-on

Sensor · 22.01.2013, 23:43

Hallo trojaner-board,

danke im Vorraus für euer Hilfe.
Habe die Anleitung fürs Posten von Sunny ausgeführt.

Also 1. Problem

beim Ausführen eines Vollständigen Suchlaufes mit MBAM bleibt dieser hängen. Das passiert wenn der Suchlauf bei verschlüsselten Dateien ankommt die ich mit Win7 "verschlüsselt" habe. Hier sehe ich dann im MBAM die Info 1 infiziertes Objekt aber der Scan läuft nicht weiter und wenn ich etwas im MBAM machen will bleibt es hängen und Win7 zeigt an "keine Rückmeldung". Außerdem verursacht zeitgleich der Prozess lsass.exe über 90% CPU Auslastung. Des weiteren komm ich nicht mehr an das Zertifikat ran, weil mir das Passwort entfallen ist ^^.
Beim Qick-Scan findet er nichts, genau so wenn ich den Datei-Pfad auf die Ignorieren Liste setzte. Also bin ich zu bl... zum zertifizieren? oder was ist da los?

2. Problem ist das auf jeder I-seite im Add-on NoScript die Seite superfish.com (außer GMX, etc) angezeigt wird und ich nicht weis woher das kommt. Evtl. installation von PDFCreator + PDF Architect der wollte ein Add-on im FF installieren. Habe aber nein gesagt und PDF Architect wieder entfernt.

Wenn ihr weitere Infos braucht, mach ich gerne. Hier die OTL.txt

Code:

ATTFilter

OTL logfile created on: 22.01.2013 21:03:18 - Run 2
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\***\Desktop
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
4,00 Gb Total Physical Memory | 2,79 Gb Available Physical Memory | 69,88% Memory free
8,00 Gb Paging File | 6,74 Gb Available in Paging File | 84,28% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 149,04 Gb Total Space | 83,63 Gb Free Space | 56,11% Space Free | Partition Type: NTFS
Drive D: | 139,28 Gb Total Space | 41,31 Gb Free Space | 29,66% Space Free | Partition Type: NTFS
Drive F: | 298,08 Gb Total Space | 136,68 Gb Free Space | 45,85% Space Free | Partition Type: NTFS
 
Computer Name: ***-PC | User Name: *** | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2013.01.22 20:59:55 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\***\Desktop\OTL.exe
PRC - [2013.01.17 19:59:25 | 000,341,504 | ---- | M] () -- C:\ProgramData\BetterSoft\SaveByClick\SaveByClick.exe
PRC - [2012.12.18 15:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012.10.11 03:29:13 | 000,143,928 | R--- | M] (Symantec Corporation) -- C:\Program Files (x86)\Norton Internet Security\Engine\20.2.0.19\ccSvcHst.exe
PRC - [2012.05.15 11:48:00 | 001,262,400 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
PRC - [2011.06.28 17:22:06 | 000,075,136 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe
PRC - [2010.01.13 08:19:42 | 000,182,912 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
PRC - [2010.01.13 08:11:52 | 007,109,248 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
PRC - [2010.01.05 12:59:12 | 000,170,624 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
PRC - [2009.06.19 09:29:42 | 000,105,016 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
PRC - [2009.06.19 09:29:26 | 002,488,888 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe
PRC - [2009.06.15 16:30:42 | 000,084,536 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe
PRC - [2009.01.16 17:12:28 | 000,221,184 | ---- | M] () -- C:\Windows\system\cm106eye.exe
PRC - [2008.12.22 16:15:34 | 000,174,648 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe
PRC - [2008.08.13 20:00:08 | 000,113,208 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2013.01.15 17:47:50 | 001,030,144 | ---- | M] () -- c:\progra~2\saveby~1\sprote~1.dll
MOD - [2012.05.30 07:51:08 | 000,699,280 | R--- | M] () -- C:\PROGRAM FILES (X86)\NORTON INTERNET SECURITY\ENGINE\20.2.0.19\wincfi39.dll
MOD - [2009.01.16 17:12:28 | 000,221,184 | ---- | M] () -- C:\Windows\system\cm106eye.exe
MOD - [2006.09.13 12:08:00 | 000,491,520 | ---- | M] () -- C:\Windows\system\cmau106.dll
 
 
========== Services (SafeList) ==========
 
SRV:64bit: - [2009.07.14 02:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2013.01.20 03:50:36 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012.12.20 18:39:36 | 000,541,760 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2012.12.18 15:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012.11.09 11:21:24 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012.10.11 03:29:13 | 000,143,928 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Norton Internet Security\Engine\20.2.0.19\ccSvcHst.exe -- (NIS)
SRV - [2012.05.15 11:48:00 | 001,262,400 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService)
SRV - [2011.09.27 20:04:08 | 000,359,192 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Programme\Common Files\LogiShrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2011.09.09 17:08:54 | 000,475,088 | ---- | M] (Cisco Systems, Inc.) [Disabled | Stopped] -- C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe -- (vpnagent)
SRV - [2011.06.28 17:22:06 | 000,075,136 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA)
SRV - [2010.03.18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009.08.18 11:48:02 | 002,291,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2009.06.15 16:30:42 | 000,084,536 | ---- | M] (ASUS) [Auto | Running] -- C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe -- (ASLDRService)
SRV - [2009.06.10 22:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2007.08.07 23:08:40 | 000,094,208 | ---- | M] () [Auto | Stopped] -- C:\Programme\ATKGFNEX\GFNEXSrv.exe -- (ATKGFNEXSrv)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - [2012.12.09 14:43:15 | 000,177,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS -- (SymEvent)
DRV:64bit: - [2012.10.09 02:00:02 | 000,776,864 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\NISx64\1402000.013\srtsp64.sys -- (SRTSP)
DRV:64bit: - [2012.10.04 02:40:35 | 001,133,216 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\NISx64\1402000.013\symefa64.sys -- (SymEFA)
DRV:64bit: - [2012.10.04 02:40:20 | 000,493,216 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\NISx64\1402000.013\symds64.sys -- (SymDS)
DRV:64bit: - [2012.10.04 02:19:14 | 000,168,096 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NISx64\1402000.013\ccsetx64.sys -- (ccSet_NIS)
DRV:64bit: - [2012.09.07 03:05:14 | 000,432,800 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NISx64\1402000.013\symnets.sys -- (SymNetS)
DRV:64bit: - [2012.09.07 02:48:08 | 000,224,416 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NISx64\1402000.013\ironx64.sys -- (SymIRON)
DRV:64bit: - [2012.08.30 07:52:28 | 001,109,296 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ATSwpWDF.sys -- (ATSwpWDF)
DRV:64bit: - [2012.08.23 15:10:20 | 000,019,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV:64bit: - [2012.08.23 15:07:35 | 000,057,856 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2012.08.08 18:50:44 | 000,043,680 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\SymIMV.sys -- (SymIM)
DRV:64bit: - [2012.05.24 22:36:56 | 000,037,496 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NISx64\1402000.013\srtspx64.sys -- (SRTSPX)
DRV:64bit: - [2012.04.18 18:08:03 | 000,188,736 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)
DRV:64bit: - [2012.03.01 07:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011.09.09 17:00:05 | 000,026,536 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vpnva64.sys -- (vpnva)
DRV:64bit: - [2011.09.09 16:59:19 | 000,106,408 | R--- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\acsock64.sys -- (acsock)
DRV:64bit: - [2011.09.02 07:30:36 | 000,060,696 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LMouFilt.Sys -- (LMouFilt)
DRV:64bit: - [2011.09.02 07:30:24 | 000,066,840 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LHidFilt.Sys -- (LHidFilt)
DRV:64bit: - [2011.06.10 05:34:52 | 000,539,240 | ---- | M] (Realtek                                            ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2011.05.12 14:03:12 | 000,006,144 | ---- | M] (Sophos Plc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\6E63.tmp -- (MEMSWEEP2)
DRV:64bit: - [2011.03.11 07:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011.03.11 07:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010.11.20 14:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010.11.20 10:37:42 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
DRV:64bit: - [2010.10.15 19:15:07 | 000,034,032 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\seehcri.sys -- (seehcri)
DRV:64bit: - [2010.10.15 19:14:37 | 000,027,176 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ggsemc.sys -- (ggsemc)
DRV:64bit: - [2010.10.15 19:14:37 | 000,013,352 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ggflt.sys -- (ggflt)
DRV:64bit: - [2010.07.27 22:08:31 | 000,314,016 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\atksgt.sys -- (atksgt)
DRV:64bit: - [2010.07.27 22:08:30 | 000,043,680 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\lirsgt.sys -- (lirsgt)
DRV:64bit: - [2010.07.27 15:01:39 | 000,834,544 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\sptd.sys -- (sptd)
DRV:64bit: - [2010.03.18 10:00:40 | 000,041,040 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\LUsbFilt.sys -- (LUsbFilt)
DRV:64bit: - [2009.10.01 18:04:54 | 001,307,648 | ---- | M] (C-Media Electronics Inc) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CM10664.sys -- (USBMULCD)
DRV:64bit: - [2009.09.15 18:40:42 | 006,952,960 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NETw5s64.sys -- (NETw5s64)
DRV:64bit: - [2009.08.21 09:52:09 | 000,079,976 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\xusb21.sys -- (xusb21)
DRV:64bit: - [2009.08.17 12:15:44 | 000,286,768 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2009.07.14 02:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009.07.14 02:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009.07.14 02:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009.06.10 22:01:06 | 001,146,880 | ---- | M] (LSI Corp) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\agrsm64.sys -- (AgereSoftModem)
DRV:64bit: - [2009.06.10 21:35:28 | 005,434,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netw5v64.sys -- (netw5v64)
DRV:64bit: - [2009.06.10 21:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009.06.10 21:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009.06.10 21:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009.06.10 21:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009.05.13 08:07:20 | 000,015,928 | ---- | M] (ASUS) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ATK64AMD.sys -- (MTsensor)
DRV:64bit: - [2009.03.09 15:58:00 | 000,060,416 | ---- | M] (ITE Tech. Inc. ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\itecir.sys -- (itecir)
DRV:64bit: - [2008.08.24 21:12:02 | 000,038,400 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bpenum.sys -- (bpenum)
DRV:64bit: - [2008.06.24 12:50:00 | 000,065,024 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\rimmpx64.sys -- (rimmptsk)
DRV:64bit: - [2008.06.03 22:41:50 | 000,017,464 | ---- | M] ( ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\kbfiltr.sys -- (kbfiltr)
DRV:64bit: - [2008.05.12 04:36:52 | 000,199,728 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Apfiltr.sys -- (ApfiltrService)
DRV:64bit: - [2007.07.27 18:45:52 | 000,057,856 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\rixdpx64.sys -- (rismxdp)
DRV:64bit: - [2007.07.26 19:33:54 | 000,055,296 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\rimspx64.sys -- (rimsptsk)
DRV - [2013.01.16 09:37:46 | 002,087,664 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.1.2\Definitions\VirusDefs\20130121.019\ex64.sys -- (NAVEX15)
DRV - [2013.01.16 09:37:45 | 000,126,192 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.1.2\Definitions\VirusDefs\20130121.019\eng64.sys -- (NAVENG)
DRV - [2012.12.05 03:06:12 | 000,513,184 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.1.2\Definitions\IPSDefs\20130121.001\IDSviA64.sys -- (IDSVia64)
DRV - [2012.11.30 00:48:34 | 001,384,608 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.1.2\Definitions\BASHDefs\20130111.001\BHDrvx64.sys -- (BHDrvx64)
DRV - [2012.10.21 11:28:56 | 000,138,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012.09.22 12:32:45 | 000,484,512 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys -- (eeCtrl)
DRV - [2009.07.14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.asus.com
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.asus.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.egofm.de/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D4 4E 13 3A FF 2C CB 01  [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\SearchScopes,DefaultScope = {00AF063F-2DA8-4118-9901-4DD71292FCE9}
IE - HKCU\..\SearchScopes\{00AF063F-2DA8-4118-9901-4DD71292FCE9}: "URL" = hxxp://www.google.de/search?q={searchTerms}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{90D4F77D-1601-473E-993B-43882D17B2B5}: "URL" = hxxp://de.wikipedia.org/wiki/Spezial:Search?search={searchTerms}
IE - HKCU\..\SearchScopes\{F193B729-0F76-418D-B8A7-7E3289D86B7D}: "URL" = hxxp://de.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&type=302398&p={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.search.defaultenginename: ""
FF - prefs.js..browser.search.defaultenginename,S: S", ""
FF - prefs.js..browser.search.defaultthis.engineName: ""
FF - prefs.js..browser.search.defaulturl: ""
FF - prefs.js..browser.search.order.1: ""
FF - prefs.js..browser.search.order.1,S: S", ""
FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=302398"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.selectedEngine,S: S", ""
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "about:home"
FF - prefs.js..extensions.enabledAddons: ich%40maltegoetz.de:1.4.3
FF - prefs.js..extensions.enabledAddons: firefox%40ghostery.com:2.8.4
FF - prefs.js..extensions.enabledAddons: %7B73a6fe31-595d-460b-a920-fcc0f8843232%7D:2.6.4.3
FF - prefs.js..extensions.enabledAddons: https-everywhere%40eff.org:3.1.3
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:18.0.1
FF - prefs.js..extensions.enabledItems: {E6C1199F-E687-42da-8C24-E7770CC3AE66}:1.7.2
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {23fcfd51-4958-4f00-80a3-ae97e717ed8b}:2.1.1.94
FF - prefs.js..extensions.enabledItems: {6904342A-8307-11DF-A508-4AE2DFD72085}:2.1.1.94
FF - prefs.js..network.proxy.http: "109.94.240.35"
FF - prefs.js..network.proxy.http_port: 3128
FF - prefs.js..network.proxy.type: 0
FF - prefs.js..sweetim.toolbar.previous.browser.search.defaultenginename: ""
FF - prefs.js..sweetim.toolbar.previous.browser.search.selectedEngine: ""
FF - prefs.js..browser.startup.homepage: ""
FF - prefs.js..sweetim.toolbar.previous.keyword.URL: ""
FF - prefs.js..keyword.URL: ""
FF - user.js - File not found
 
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_5_502_146.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.10.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.10.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.11.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.5: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.1.2\coFFPlgn\ [2013.01.22 20:59:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\html5video [2011.03.21 21:48:24 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\wpa [2011.03.21 21:48:24 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.1.2\IPSFFPlgn\ [2012.12.09 14:48:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013.01.20 03:50:37 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2013.01.20 03:50:34 | 000,000,000 | ---D | M]
 
[2010.07.26 23:50:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Extensions
[2013.01.21 22:47:02 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\iydsqpdv.default\extensions
[2013.01.21 22:47:02 | 000,000,000 | ---D | M] (SaveByclick) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\iydsqpdv.default\extensions\50fdb67008997@50fdb670089ac.com
[2013.01.09 13:04:23 | 000,000,000 | ---D | M] (Ghostery) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\iydsqpdv.default\extensions\firefox@ghostery.com
[2013.01.21 22:47:01 | 000,000,000 | ---D | M] (HTTPS-Everywhere) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\iydsqpdv.default\extensions\https-everywhere@eff.org
[2012.09.29 00:41:50 | 000,000,000 | ---D | M] (ProxTube - Unblock YouTube) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\iydsqpdv.default\extensions\ich@maltegoetz.de
[2013.01.16 21:00:28 | 000,389,447 | ---- | M] () (No name found) -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\iydsqpdv.default\extensions\jid1-F9UJ2thwoAm5gQ@jetpack.xpi
[2013.01.21 22:46:59 | 000,533,221 | ---- | M] () (No name found) -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\iydsqpdv.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
[2012.12.08 21:58:53 | 001,268,546 | ---- | M] () (No name found) -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\iydsqpdv.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}.xpi
[2012.05.25 23:13:20 | 000,010,316 | ---- | M] () -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\iydsqpdv.default\searchplugins\duckduckgo.xml
[2011.01.22 22:20:56 | 000,002,449 | ---- | M] () -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\iydsqpdv.default\searchplugins\safesearch.xml
[2010.11.18 15:37:31 | 000,001,997 | ---- | M] () -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\iydsqpdv.default\searchplugins\wolframalpha.xml
[2013.01.20 03:50:34 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions
[2013.01.20 03:50:34 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files (x86)\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2013.01.20 03:50:37 | 000,262,552 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012.02.04 15:35:00 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.08.31 10:13:42 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012.02.04 15:35:00 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml
[2012.02.04 15:35:00 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.02.04 15:35:00 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.02.04 15:35:00 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml
 
========== Chrome  ==========
 
CHR - Extension: SaveByclick = C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Extensions\ebnbjphlnnamdhenkaackhonngkahiap\1\
 
O1 HOSTS File: ([2012.11.27 14:25:48 | 000,000,938 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2:64bit: - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
O2 - BHO: (DivX HiQ) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\20.2.0.19\coIEPlg.dll (Symantec Corporation)
O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\20.2.0.19\IPS\IPSBHO.DLL (Symantec Corporation)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (SaveByclick) - {A71096B6-BE43-EA8B-9AF5-B947D5EB4193} - C:\ProgramData\SaveByclick\50fdb67008b05.dll ()
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\20.2.0.19\coIEPlg.dll (Symantec Corporation)
O4:64bit: - HKLM..\Run: []  File not found
O4:64bit: - HKLM..\Run: [Cm106Sound] C:\Windows\Syswow64\cm106.dll (C-Media Corporation)
O4:64bit: - HKLM..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
O4 - HKLM..\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe (ASUS)
O4 - HKLM..\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe (ASUS)
O4 - HKLM..\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe (ASUS)
O4 - HKCU..\Run: [Spotify Web Helper] C:\Users\***\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe (Spotify Ltd)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8:64bit: - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000008 [] - C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000009 [] - C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: clonewarsadventures.com ([]* in Vertrauenswürdige Sites)
O15 - HKCU\..Trusted Domains: freerealms.com ([]* in Vertrauenswürdige Sites)
O15 - HKCU\..Trusted Domains: fritz.box ([]* in Lokales Intranet)
O15 - HKCU\..Trusted Domains: soe.com ([]* in Vertrauenswürdige Sites)
O15 - HKCU\..Trusted Domains: sony.com ([]* in Vertrauenswürdige Sites)
O15 - HKCU\..Trusted Ranges: Range1 ([*] in Lokales Intranet)
O16:64bit: - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Reg Error: Value error.)
O16:64bit: - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 10.10.2)
O16:64bit: - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab (Reg Error: Key error.)
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} hxxp://support.asus.de/common/asusTek_sys_ctrl.cab (asusTek_sysctrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} Reg Error: Value error. (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} Reg Error: Value error. (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 10.10.2)
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} Reg Error: Value error. (SysInfo Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B641F478-C481-4588-9D30-880E62B0E3A5}: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D84773E1-7A83-40DB-9AAA-E32943FFDCAC}: DhcpNameServer = 192.168.178.1
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18:64bit: - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (c:\progra~2\saveby~1\sprote~1.dll) - c:\progra~2\saveby~1\sprote~1.dll ()
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\LBTWlgn: DllName - (c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll) - c:\Programme\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O20 - Winlogon\Notify\LBTWlgn: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013.01.22 20:59:49 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\***\Desktop\OTL.exe
[2013.01.21 22:49:07 | 000,000,000 | ---D | C] -- C:\ProgramData\PDF Architect
[2013.01.21 22:47:41 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Roaming\PDF Architect
[2013.01.21 22:46:54 | 000,000,000 | ---D | C] -- C:\ProgramData\CLSoft LTD
[2013.01.21 22:46:46 | 000,000,000 | ---D | C] -- C:\ProgramData\BetterSoft
[2013.01.21 22:46:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SaveByclick
[2013.01.21 22:46:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SaveByClick
[2013.01.21 22:46:39 | 000,000,000 | ---D | C] -- C:\ProgramData\SaveByclick
[2013.01.21 22:46:27 | 000,000,000 | ---D | C] -- C:\ProgramData\InstallMate
[2013.01.21 22:45:41 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Roaming\pdfforge
[2013.01.21 22:45:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDFCreator
[2013.01.21 22:45:40 | 000,103,936 | ---- | C] (pdfforge GbR) -- C:\Windows\SysNative\pdfcmon.dll
[2013.01.20 03:50:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
[2013.01.03 00:45:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
[2012.12.27 23:23:11 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Local\NPE
[5 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013.01.22 21:05:17 | 000,013,248 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013.01.22 21:05:17 | 000,013,248 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013.01.22 20:59:55 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\***\Desktop\OTL.exe
[2013.01.22 20:58:00 | 000,001,108 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013.01.22 20:57:59 | 000,000,392 | -H-- | M] () -- C:\Windows\tasks\{41E1BF5C-C1B6-47E4-9892-C36F01B80AC1}.job
[2013.01.22 20:57:47 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013.01.22 20:57:41 | 3220,525,056 | -HS- | M] () -- C:\hiberfil.sys
[2013.01.22 20:56:19 | 000,000,020 | ---- | M] () -- C:\Users\***\defogger_reenable
[2013.01.22 20:55:12 | 000,050,477 | ---- | M] () -- C:\Users\***\Desktop\Defogger.exe
[2013.01.22 20:17:00 | 000,001,112 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013.01.21 22:37:40 | 000,001,702 | ---- | M] () -- C:\Windows\Cm106.ini.imi
[2013.01.13 01:56:46 | 000,007,651 | ---- | M] () -- C:\Users\***\AppData\Local\Resmon.ResmonCfg
[2013.01.11 11:39:42 | 000,103,936 | ---- | M] (pdfforge GbR) -- C:\Windows\SysNative\pdfcmon.dll
[2013.01.10 12:41:13 | 000,000,466 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2013.01.09 20:19:03 | 000,412,936 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2013.01.09 19:47:12 | 001,529,494 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013.01.09 19:47:12 | 000,657,948 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
[2013.01.09 19:47:12 | 000,619,184 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013.01.09 19:47:12 | 000,131,288 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
[2013.01.09 19:47:12 | 000,107,504 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013.01.07 13:27:27 | 129,568,298 | ---- | M] () -- C:\Users\***\Documents\PDFCreator.DMP
[5 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013.01.22 20:56:19 | 000,000,020 | ---- | C] () -- C:\Users\***\defogger_reenable
[2013.01.22 20:55:11 | 000,050,477 | ---- | C] () -- C:\Users\***\Desktop\Defogger.exe
[2013.01.21 22:46:47 | 000,000,392 | -H-- | C] () -- C:\Windows\tasks\{41E1BF5C-C1B6-47E4-9892-C36F01B80AC1}.job
[2013.01.07 13:27:20 | 129,568,298 | ---- | C] () -- C:\Users\***\Documents\PDFCreator.DMP
[2012.12.26 18:29:00 | 000,002,598 | ---- | C] () -- C:\Users\***\Test.pfx
[2012.12.20 17:26:16 | 001,527,912 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012.10.30 21:11:37 | 006,127,464 | ---- | C] () -- C:\Windows\SysWow64\nvopencl.dll
[2012.08.02 17:34:21 | 000,000,026 | ---- | C] () -- C:\Windows\Irremote.ini
[2012.05.15 01:21:50 | 000,423,744 | ---- | C] () -- C:\Windows\SysWow64\nvStreaming.exe
[2012.04.28 20:15:01 | 000,060,304 | ---- | C] () -- C:\Users\***\g2mdlhlpx.exe
[2012.03.14 14:07:29 | 000,003,059 | ---- | C] () -- C:\Windows\Cm106.ini.cfg
[2012.02.28 02:05:45 | 000,000,218 | ---- | C] () -- C:\Users\***\AppData\Local\recently-used.xbel
[2011.09.28 16:44:14 | 000,179,271 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2011.03.08 22:06:06 | 000,000,678 | ---- | C] () -- C:\Users\***\.jmf-resource
[2010.10.20 17:56:49 | 000,007,680 | ---- | C] () -- C:\Users\***\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.07.29 17:19:00 | 000,007,651 | ---- | C] () -- C:\Users\***\AppData\Local\Resmon.ResmonCfg
[2010.07.27 14:56:56 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010.07.26 22:56:37 | 000,000,466 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2010.07.25 04:06:39 | 000,001,024 | ---- | C] () -- C:\Users\***\.rnd
 
========== ZeroAccess Check ==========
 
[2009.07.14 05:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012.06.09 06:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 05:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 02:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.20 13:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 02:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
 
========== LOP Check ==========
 
[2011.11.01 01:33:44 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\DAEMON Tools Lite
[2012.05.23 13:13:35 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\elsterformular
[2012.02.27 22:02:06 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\fpdb
[2010.07.27 13:45:00 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Leadertech
[2012.08.15 23:41:59 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Origin
[2013.01.21 22:47:47 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\PDF Architect
[2013.01.21 22:45:41 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\pdfforge
[2012.11.13 00:08:30 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\ScummVM
[2013.01.21 21:23:56 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Spotify
[2010.08.25 17:10:50 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\The Creative Assembly
[2010.11.16 21:45:39 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Tific
[2010.07.27 17:33:47 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Trillian
[2012.06.25 03:09:01 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\TS3Client
[2012.12.27 23:23:59 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\ts3overlay
[2012.06.06 22:01:02 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Ubisoft
[2011.02.15 22:04:00 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\Unity
[2012.06.13 13:05:59 | 000,000,000 | ---D | M] -- C:\Users\***\AppData\Roaming\XnView
 
========== Purity Check ==========
 
 

< End of report >

eine EXTRAS.txt habe ich von OTL nicht bekommen

als Anhang die Gmer.txt

evtl findet ihr ja in den logs noch irgenwas anderes man weis ja nie. Danke
Gruß Sensor

cosinus · 25.01.2013, 13:16

Hallo und

Funktioniert den ein Quickscan mit MBAM?

Zitat:

64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation

Warum bitte eine Professional Edition für Windows? Wer braucht das als Heimanwender?
Ist das rein zufällig ein Büro-/Firmen-PC? Oder ein Uni-Rechner?

Sensor · 25.01.2013, 15:32

Hallo,

Zitat:

Zitat von cosinus

Funktioniert den ein Quickscan mit MBAM?

also der Quickscan funzt, habe es gerade probiert hier der log

Code:

ATTFilter

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Datenbank Version: v2013.01.25.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
*** :: ***[Administrator]

25.01.2013 15:18:18
mbam-log-2013-01-25 (15-18-18).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 277617
Laufzeit: 2 Minute(n), 33 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0
(Keine bösartigen Objekte gefunden)

(Ende)

Zitat:

Zitat von cosinus

Warum bitte eine Professional Edition für Windows?

Weil die umsonst war als Student, vorher war Win Vista drauf.

Zitat:

Zitat von cosinus

Ist das rein zufällig ein Büro-/Firmen-PC? Oder ein Uni-Rechner?

Nein ich bin Heimanwender.

cosinus · 25.01.2013, 15:51

Ok, danke für die Erklärung

Bevor wir uns an die weitere Arbeit machen, möchte ich dich bitten, folgende Punkte vollständig und aufmerksam zu lesen.

Lies dir meine Anleitungen, die ich im Laufe dieses Strangs hier posten werde, aufmerksam durch. Frag umgehend nach, wenn dir irgendetwas unklar sein sollte, bevor du anfängst meine Anleitungen umzusetzen.
Solltest du bei einem Schritt Probleme haben, stoppe dort und beschreib mir das Problem so gut du kannst. Manchmal erfordert ein Schritt den vorhergehenden.
Bitte nur Scans durchführen zu denen du von einem Helfer aufgefordert wurdest! Installiere / Deinstalliere keine Software ohne Aufforderung!
Poste die Logfiles direkt in deinen Thread (bitte in CODE-Tags) und nicht als Anhang, ausser du wurdest dazu aufgefordert. Logs in Anhängen erschweren mir das Auswerten!
Beachte bitte auch => Löschen von Logfiles und andere Anfragen

Note:
Sollte ich drei Tage nichts von mir hören lassen, so melde dich bitte in diesem Strang => Erinnerung an meinem Thread.
Nervige "Wann geht es weiter" Nachrichten enden mit Schließung deines Themas. Auch ich habe ein Leben abseits des Trojaner-Boards.

Bitte nun Logs mit GMER (<<< klick für Anleitung) und aswMBR (Anleitung etwas weiter unten) erstellen und posten.
GMER stürzt häufiger ab, wenn das Tool auch beim zweiten Mal nicht will, lass es einfach weg und führ nur aswMBR aus.

aswMBR-Download => aswMBR.exe - speichere die Datei auf deinem Desktop.

Starte die aswMBR.exe Vista und Win7 User mit Rechtsklick "als Admininstartor starten"
Das Tool wird dich fragen, ob Du mit der aktuellen Virendefinition von AVAST! dein System scannen willst. Beantworte diese Frage bitte mit Ja. (Sollte deine Firewall fragen, bitte den Zugriff auf das Internet zulassen) Der Download der Definitionen kann je nach Verbindung eine Weile dauern.
Klicke auf Scan.
Warte bitte bis Scan finished successfully im DOS Fenster steht.
Drücke auf Save Log und speichere diese auf dem Desktop.

Poste mir die aswMBR.txt in deiner nächsten Antwort. Wichtig: Drücke keinesfalls einen der Fix Buttons ohne Anweisung Hinweis: Sollte der Scan Button ausgeblendet sein, schließe das Tool und starte es erneut. Sollte es erneut nicht klappen teile mir das bitte mit.

Noch ein Hinweis: Sollte aswMBR abstürzen und es kommt eine Meldung wie "aswMBR.exe funktioniert nicht mehr, dann mach Folgendes:
Starte aswMBR neu, wähle unten links im Drop-Down-Menü (unten links im Fenster von aswMBR) bei "AV scan" (none) aus und klick nochmal auf den Scan-Button.

Sensor · 25.01.2013, 17:41

TGIF

gmer:

Code:

ATTFilter

GMER 2.0.18444 - hxxp://www.gmer.net
Rootkit scan 2013-01-25 17:02:25
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS543232L9A300 rev.FB4OC40C 298,09GB
Running: gmer-2.0.18444.exe; Driver: C:\Users\***\AppData\Local\Temp\pwriyfob.sys


---- User code sections - GMER 2.0 ----

.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                       0000000077b7fc90 5 bytes JMP 000000010028091c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                                     0000000077b7fdf4 5 bytes JMP 0000000100280048
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                                              0000000077b7fe88 5 bytes JMP 00000001002802ee
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                           0000000077b7ffe4 5 bytes JMP 00000001002804b2
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                   0000000077b80018 5 bytes JMP 00000001002809fe
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                                           0000000077b80048 5 bytes JMP 0000000100280ae0
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                        0000000077b80064 5 bytes JMP 000000010002004c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                           0000000077b8077c 5 bytes JMP 000000010028012a
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                               0000000077b8086c 5 bytes JMP 0000000100280758
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                         0000000077b80884 5 bytes JMP 0000000100280676
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                             0000000077b80dd4 5 bytes JMP 00000001002803d0
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                       0000000077b81900 5 bytes JMP 0000000100280594
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                   0000000077b81bc4 5 bytes JMP 000000010028083a
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                                          0000000077b81d50 5 bytes JMP 000000010028020c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1440] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                                         00000000770d524f 7 bytes JMP 0000000100280f52
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1440] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                                             00000000770d53d0 7 bytes JMP 0000000100290210
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1440] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                                            00000000770d5677 1 byte JMP 0000000100290048
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1440] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                                            00000000770d5679 5 bytes {JMP 0xffffffff891ba9d1}
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1440] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                                   00000000770d589a 7 bytes JMP 0000000100280ca6
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1440] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                                   00000000770d5a1d 7 bytes JMP 00000001002903d8
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1440] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                                              00000000770d5c9b 7 bytes JMP 000000010029012c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1440] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                                00000000770d5d87 7 bytes JMP 00000001002902f4
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1440] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                               00000000770d7240 7 bytes JMP 0000000100280e6e
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1440] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                                              0000000075ac1492 7 bytes JMP 00000001002904bc
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                          0000000077b7fc90 5 bytes JMP 000000010011091c
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                                        0000000077b7fdf4 5 bytes JMP 0000000100110048
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                                                 0000000077b7fe88 5 bytes JMP 00000001001102ee
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                              0000000077b7ffe4 5 bytes JMP 00000001001104b2
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                      0000000077b80018 5 bytes JMP 00000001001109fe
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                                              0000000077b80048 5 bytes JMP 0000000100110ae0
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                           0000000077b80064 5 bytes JMP 000000010002004c
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                              0000000077b8077c 5 bytes JMP 000000010011012a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                  0000000077b8086c 5 bytes JMP 0000000100110758
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                            0000000077b80884 5 bytes JMP 0000000100110676
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                0000000077b80dd4 5 bytes JMP 00000001001103d0
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                          0000000077b81900 5 bytes JMP 0000000100110594
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                      0000000077b81bc4 5 bytes JMP 000000010011083a
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                                             0000000077b81d50 5 bytes JMP 000000010011020c
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                                                 0000000075ac1492 7 bytes JMP 000000010012059e
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                                            00000000770d524f 7 bytes JMP 0000000100110f52
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                                                00000000770d53d0 7 bytes JMP 0000000100120210
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                                               00000000770d5677 1 byte JMP 0000000100120048
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                                               00000000770d5679 5 bytes {JMP 0xffffffff8904a9d1}
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                                      00000000770d589a 7 bytes JMP 0000000100110ca6
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                                      00000000770d5a1d 7 bytes JMP 00000001001203d8
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                                                 00000000770d5c9b 7 bytes JMP 000000010012012c
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                                   00000000770d5d87 7 bytes JMP 00000001001202f4
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                                  00000000770d7240 7 bytes JMP 0000000100110e6e
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                      0000000077b7fc90 5 bytes JMP 000000010027091c
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                                                                    0000000077b7fdf4 5 bytes JMP 0000000100270048
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                                                                             0000000077b7fe88 5 bytes JMP 00000001002702ee
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                          0000000077b7ffe4 5 bytes JMP 00000001002704b2
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                                                  0000000077b80018 5 bytes JMP 00000001002709fe
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                                                                          0000000077b80048 5 bytes JMP 0000000100270ae0
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                       0000000077b80064 5 bytes JMP 000000010002004c
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                                          0000000077b8077c 5 bytes JMP 000000010027012a
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                              0000000077b8086c 5 bytes JMP 0000000100270758
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                        0000000077b80884 5 bytes JMP 0000000100270676
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                            0000000077b80dd4 5 bytes JMP 00000001002703d0
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                                      0000000077b81900 5 bytes JMP 0000000100270594
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                  0000000077b81bc4 5 bytes JMP 000000010027083a
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                                                                         0000000077b81d50 5 bytes JMP 000000010027020c
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                                                                             0000000075ac1492 7 bytes JMP 000000010028059e
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                                                                        00000000770d524f 7 bytes JMP 0000000100270f52
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                                                                            00000000770d53d0 7 bytes JMP 0000000100280210
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                                                                           00000000770d5677 1 byte JMP 0000000100280048
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                                                                           00000000770d5679 5 bytes {JMP 0xffffffff891aa9d1}
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                                                                  00000000770d589a 7 bytes JMP 0000000100270ca6
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                                                                  00000000770d5a1d 7 bytes JMP 00000001002803d8
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                                                                             00000000770d5c9b 7 bytes JMP 000000010028012c
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                                                               00000000770d5d87 7 bytes JMP 00000001002802f4
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                                                              00000000770d7240 7 bytes JMP 0000000100270e6e
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82                                                                                                             00000000742417fa 2 bytes [24, 74]
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88                                                                                                         0000000074241860 2 bytes [24, 74]
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98                                                                                                       0000000074241942 2 bytes [24, 74]
.text    C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109                                                                                                      000000007424194d 2 bytes [24, 74]
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                       0000000077b7fc90 5 bytes JMP 000000010028091c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                                     0000000077b7fdf4 5 bytes JMP 0000000100280048
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                                              0000000077b7fe88 5 bytes JMP 00000001002802ee
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                           0000000077b7ffe4 5 bytes JMP 00000001002804b2
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                   0000000077b80018 5 bytes JMP 00000001002809fe
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                                           0000000077b80048 5 bytes JMP 0000000100280ae0
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                        0000000077b80064 5 bytes JMP 000000010002004c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                           0000000077b8077c 5 bytes JMP 000000010028012a
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                               0000000077b8086c 5 bytes JMP 0000000100280758
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                         0000000077b80884 5 bytes JMP 0000000100280676
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                             0000000077b80dd4 5 bytes JMP 00000001002803d0
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                       0000000077b81900 5 bytes JMP 0000000100280594
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                   0000000077b81bc4 5 bytes JMP 000000010028083a
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2776] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                                          0000000077b81d50 5 bytes JMP 000000010028020c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2776] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                                              0000000075ac1492 7 bytes JMP 000000010029059e
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2776] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                                         00000000770d524f 7 bytes JMP 0000000100280f52
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2776] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                                             00000000770d53d0 7 bytes JMP 0000000100290210
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2776] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                                            00000000770d5677 1 byte JMP 0000000100290048
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2776] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                                            00000000770d5679 5 bytes {JMP 0xffffffff891ba9d1}
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2776] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                                   00000000770d589a 7 bytes JMP 0000000100280ca6
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2776] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                                   00000000770d5a1d 7 bytes JMP 00000001002903d8
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2776] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                                              00000000770d5c9b 7 bytes JMP 000000010029012c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2776] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                                00000000770d5d87 7 bytes JMP 00000001002902f4
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe[2776] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                               00000000770d7240 7 bytes JMP 0000000100280e6e
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                         0000000077b7fc90 5 bytes JMP 000000010024091c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                                       0000000077b7fdf4 5 bytes JMP 0000000100240048
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                                                0000000077b7fe88 5 bytes JMP 00000001002402ee
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                             0000000077b7ffe4 5 bytes JMP 00000001002404b2
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                     0000000077b80018 5 bytes JMP 00000001002409fe
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                                             0000000077b80048 5 bytes JMP 0000000100240ae0
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                          0000000077b80064 5 bytes JMP 000000010002004c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                             0000000077b8077c 5 bytes JMP 000000010024012a
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                 0000000077b8086c 5 bytes JMP 0000000100240758
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                           0000000077b80884 5 bytes JMP 0000000100240676
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                               0000000077b80dd4 5 bytes JMP 00000001002403d0
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                         0000000077b81900 5 bytes JMP 0000000100240594
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                     0000000077b81bc4 5 bytes JMP 000000010024083a
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                                            0000000077b81d50 5 bytes JMP 000000010024020c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2220] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                                                0000000075ac1492 7 bytes JMP 00000001002504bc
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2220] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                                           00000000770d524f 7 bytes JMP 0000000100240f52
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2220] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                                               00000000770d53d0 7 bytes JMP 0000000100250210
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2220] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                                              00000000770d5677 1 byte JMP 0000000100250048
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2220] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                                              00000000770d5679 5 bytes {JMP 0xffffffff8917a9d1}
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2220] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                                     00000000770d589a 7 bytes JMP 0000000100240ca6
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2220] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                                     00000000770d5a1d 7 bytes JMP 00000001002503d8
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2220] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                                                00000000770d5c9b 7 bytes JMP 000000010025012c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2220] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                                  00000000770d5d87 7 bytes JMP 00000001002502f4
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[2220] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                                 00000000770d7240 7 bytes JMP 0000000100240e6e
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2448] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                        0000000077b7fc90 5 bytes JMP 000000010028091c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2448] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                                      0000000077b7fdf4 5 bytes JMP 0000000100280048
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2448] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                                               0000000077b7fe88 5 bytes JMP 00000001002802ee
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2448] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                            0000000077b7ffe4 5 bytes JMP 00000001002804b2
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2448] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                    0000000077b80018 5 bytes JMP 00000001002809fe
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2448] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                                            0000000077b80048 5 bytes JMP 0000000100280ae0
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2448] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                         0000000077b80064 5 bytes JMP 000000010002004c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2448] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                            0000000077b8077c 5 bytes JMP 000000010028012a
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2448] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                0000000077b8086c 5 bytes JMP 0000000100280758
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2448] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                          0000000077b80884 5 bytes JMP 0000000100280676
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2448] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                              0000000077b80dd4 5 bytes JMP 00000001002803d0
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2448] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                        0000000077b81900 5 bytes JMP 0000000100280594
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2448] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                    0000000077b81bc4 5 bytes JMP 000000010028083a
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2448] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                                           0000000077b81d50 5 bytes JMP 000000010028020c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2448] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                                               0000000075ac1492 7 bytes JMP 00000001002904bc
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2448] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                                          00000000770d524f 7 bytes JMP 0000000100280f52
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2448] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                                              00000000770d53d0 7 bytes JMP 0000000100290210
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2448] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                                             00000000770d5677 1 byte JMP 0000000100290048
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2448] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                                             00000000770d5679 5 bytes {JMP 0xffffffff891ba9d1}
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2448] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                                    00000000770d589a 7 bytes JMP 0000000100280ca6
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2448] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                                    00000000770d5a1d 7 bytes JMP 00000001002903d8
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2448] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                                               00000000770d5c9b 7 bytes JMP 000000010029012c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2448] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                                 00000000770d5d87 7 bytes JMP 00000001002902f4
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe[2448] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                                00000000770d7240 7 bytes JMP 0000000100280e6e
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2580] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                            0000000077b7fc90 5 bytes JMP 000000010029091c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2580] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                                          0000000077b7fdf4 5 bytes JMP 0000000100290048
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2580] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                                                   0000000077b7fe88 5 bytes JMP 00000001002902ee
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2580] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                0000000077b7ffe4 5 bytes JMP 00000001002904b2
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2580] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                        0000000077b80018 5 bytes JMP 00000001002909fe
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2580] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                                                0000000077b80048 5 bytes JMP 0000000100290ae0
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2580] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                             0000000077b80064 5 bytes JMP 000000010003004c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2580] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                0000000077b8077c 5 bytes JMP 000000010029012a
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2580] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                    0000000077b8086c 5 bytes JMP 0000000100290758
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2580] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                              0000000077b80884 5 bytes JMP 0000000100290676
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2580] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                  0000000077b80dd4 5 bytes JMP 00000001002903d0
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2580] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                            0000000077b81900 5 bytes JMP 0000000100290594
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2580] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                        0000000077b81bc4 5 bytes JMP 000000010029083a
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2580] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                                               0000000077b81d50 5 bytes JMP 000000010029020c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2580] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                                                   0000000075ac1492 7 bytes JMP 00000001002a059e
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2580] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                                              00000000770d524f 7 bytes JMP 0000000100290f52
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2580] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                                                  00000000770d53d0 7 bytes JMP 00000001002a0210
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2580] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                                                 00000000770d5677 1 byte JMP 00000001002a0048
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2580] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                                                 00000000770d5679 5 bytes {JMP 0xffffffff891ca9d1}
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2580] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                                        00000000770d589a 7 bytes JMP 0000000100290ca6
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2580] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                                        00000000770d5a1d 7 bytes JMP 00000001002a03d8
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2580] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                                                   00000000770d5c9b 7 bytes JMP 00000001002a012c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2580] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                                     00000000770d5d87 7 bytes JMP 00000001002a02f4
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[2580] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                                    00000000770d7240 7 bytes JMP 0000000100290e6e
.text    C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3212] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                           0000000077b7fc90 5 bytes JMP 00000001001e091c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3212] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                                         0000000077b7fdf4 5 bytes JMP 00000001001e0048
.text    C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3212] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                                                  0000000077b7fe88 5 bytes JMP 00000001001e02ee
.text    C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3212] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                               0000000077b7ffe4 5 bytes JMP 00000001001e04b2
.text    C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3212] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                       0000000077b80018 5 bytes JMP 00000001001e09fe
.text    C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3212] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                                               0000000077b80048 5 bytes JMP 00000001001e0ae0
.text    C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3212] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                            0000000077b80064 5 bytes JMP 000000010003004c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3212] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                               0000000077b8077c 5 bytes JMP 00000001001e012a
.text    C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3212] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                   0000000077b8086c 5 bytes JMP 00000001001e0758
.text    C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3212] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                             0000000077b80884 5 bytes JMP 00000001001e0676
.text    C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3212] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                 0000000077b80dd4 5 bytes JMP 00000001001e03d0
.text    C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3212] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                           0000000077b81900 5 bytes JMP 00000001001e0594
.text    C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3212] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                       0000000077b81bc4 5 bytes JMP 00000001001e083a
.text    C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3212] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                                              0000000077b81d50 5 bytes JMP 00000001001e020c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3212] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                                                  0000000075ac1492 7 bytes JMP 00000001002704bc
.text    C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3212] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                                             00000000770d524f 7 bytes JMP 00000001001e0f52
.text    C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3212] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                                                 00000000770d53d0 7 bytes JMP 0000000100270210
.text    C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3212] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                                                00000000770d5677 1 byte JMP 0000000100270048
.text    C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3212] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                                                00000000770d5679 5 bytes {JMP 0xffffffff8919a9d1}
.text    C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3212] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                                       00000000770d589a 7 bytes JMP 00000001001e0ca6
.text    C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3212] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                                       00000000770d5a1d 7 bytes JMP 00000001002703d8
.text    C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3212] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                                                  00000000770d5c9b 7 bytes JMP 000000010027012c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3212] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                                    00000000770d5d87 7 bytes JMP 00000001002702f4
.text    C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3212] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                                   00000000770d7240 7 bytes JMP 00000001001e0e6e
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                          0000000077b7fc90 5 bytes JMP 000000010028091c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                                        0000000077b7fdf4 5 bytes JMP 0000000100280048
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                                                 0000000077b7fe88 5 bytes JMP 00000001002802ee
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                              0000000077b7ffe4 5 bytes JMP 00000001002804b2
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                      0000000077b80018 5 bytes JMP 00000001002809fe
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                                              0000000077b80048 5 bytes JMP 0000000100280ae0
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                           0000000077b80064 5 bytes JMP 000000010002004c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                              0000000077b8077c 5 bytes JMP 000000010028012a
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                  0000000077b8086c 5 bytes JMP 0000000100280758
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                            0000000077b80884 5 bytes JMP 0000000100280676
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                0000000077b80dd4 5 bytes JMP 00000001002803d0
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                          0000000077b81900 5 bytes JMP 0000000100280594
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                      0000000077b81bc4 5 bytes JMP 000000010028083a
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3224] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                                             0000000077b81d50 5 bytes JMP 000000010028020c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3224] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                                                 0000000075ac1492 7 bytes JMP 00000001002904bc
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3224] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                                            00000000770d524f 7 bytes JMP 0000000100280f52
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3224] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                                                00000000770d53d0 7 bytes JMP 0000000100290210
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3224] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                                               00000000770d5677 1 byte JMP 0000000100290048
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3224] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                                               00000000770d5679 5 bytes {JMP 0xffffffff891ba9d1}
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3224] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                                      00000000770d589a 7 bytes JMP 0000000100280ca6
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3224] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                                      00000000770d5a1d 7 bytes JMP 00000001002903d8
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3224] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                                                 00000000770d5c9b 7 bytes JMP 000000010029012c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3224] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                                   00000000770d5d87 7 bytes JMP 00000001002902f4
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[3224] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                                  00000000770d7240 7 bytes JMP 0000000100280e6e
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                   0000000077b7fc90 5 bytes JMP 000000010028091c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                                 0000000077b7fdf4 5 bytes JMP 0000000100280048
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                                          0000000077b7fe88 5 bytes JMP 00000001002802ee
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                       0000000077b7ffe4 5 bytes JMP 00000001002804b2
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                               0000000077b80018 5 bytes JMP 00000001002809fe
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                                       0000000077b80048 5 bytes JMP 0000000100280ae0
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                    0000000077b80064 5 bytes JMP 000000010002004c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                       0000000077b8077c 5 bytes JMP 000000010028012a
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                           0000000077b8086c 5 bytes JMP 0000000100280758
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                     0000000077b80884 5 bytes JMP 0000000100280676
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                         0000000077b80dd4 5 bytes JMP 00000001002803d0
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                   0000000077b81900 5 bytes JMP 0000000100280594
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                               0000000077b81bc4 5 bytes JMP 000000010028083a
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3236] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                                      0000000077b81d50 5 bytes JMP 000000010028020c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3236] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                                          0000000075ac1492 7 bytes JMP 00000001002904bc
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3236] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                                     00000000770d524f 7 bytes JMP 0000000100280f52
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3236] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                                         00000000770d53d0 7 bytes JMP 0000000100290210
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3236] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                                        00000000770d5677 1 byte JMP 0000000100290048
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3236] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                                        00000000770d5679 5 bytes {JMP 0xffffffff891ba9d1}
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3236] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                               00000000770d589a 7 bytes JMP 0000000100280ca6
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3236] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                               00000000770d5a1d 7 bytes JMP 00000001002903d8
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3236] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                                          00000000770d5c9b 7 bytes JMP 000000010029012c
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3236] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                            00000000770d5d87 7 bytes JMP 00000001002902f4
.text    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3236] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                           00000000770d7240 7 bytes JMP 0000000100280e6e
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3244] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                      0000000077b7fc90 5 bytes JMP 000000010025091c
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3244] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                                    0000000077b7fdf4 5 bytes JMP 0000000100250048
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3244] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                                             0000000077b7fe88 5 bytes JMP 00000001002502ee
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3244] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                          0000000077b7ffe4 5 bytes JMP 00000001002504b2
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3244] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                  0000000077b80018 5 bytes JMP 00000001002509fe
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3244] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                                          0000000077b80048 5 bytes JMP 0000000100250ae0
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3244] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                       0000000077b80064 5 bytes JMP 000000010002004c
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3244] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                          0000000077b8077c 5 bytes JMP 000000010025012a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3244] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                              0000000077b8086c 5 bytes JMP 0000000100250758
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3244] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                        0000000077b80884 5 bytes JMP 0000000100250676
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3244] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                            0000000077b80dd4 5 bytes JMP 00000001002503d0
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3244] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                      0000000077b81900 5 bytes JMP 0000000100250594
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3244] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                  0000000077b81bc4 5 bytes JMP 000000010025083a
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3244] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                                         0000000077b81d50 5 bytes JMP 000000010025020c
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3244] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                                        00000000770d524f 7 bytes JMP 0000000100250f52
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3244] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                                            00000000770d53d0 7 bytes JMP 0000000100260210
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3244] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                                           00000000770d5677 1 byte JMP 0000000100260048
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3244] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                                           00000000770d5679 5 bytes {JMP 0xffffffff8918a9d1}
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3244] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                                  00000000770d589a 7 bytes JMP 0000000100250ca6
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3244] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                                  00000000770d5a1d 7 bytes JMP 00000001002603d8
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3244] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                                             00000000770d5c9b 7 bytes JMP 000000010026012c
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3244] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                               00000000770d5d87 7 bytes JMP 00000001002602f4
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3244] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                              00000000770d7240 7 bytes JMP 0000000100250e6e
.text    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3244] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                                             0000000075ac1492 7 bytes JMP 0000000100260762
.text    C:\Windows\system\Cm106eye.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                                        0000000077b7fc90 5 bytes JMP 000000010023091c
.text    C:\Windows\system\Cm106eye.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                                                                      0000000077b7fdf4 5 bytes JMP 0000000100230048
.text    C:\Windows\system\Cm106eye.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                                                                               0000000077b7fe88 5 bytes JMP 00000001002302ee
.text    C:\Windows\system\Cm106eye.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                                            0000000077b7ffe4 5 bytes JMP 00000001002304b2
.text    C:\Windows\system\Cm106eye.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                                                    0000000077b80018 5 bytes JMP 00000001002309fe
.text    C:\Windows\system\Cm106eye.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                                                                            0000000077b80048 5 bytes JMP 0000000100230ae0
.text    C:\Windows\system\Cm106eye.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                                         0000000077b80064 5 bytes JMP 000000010002004c
.text    C:\Windows\system\Cm106eye.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                                            0000000077b8077c 5 bytes JMP 000000010023012a
.text    C:\Windows\system\Cm106eye.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                                0000000077b8086c 5 bytes JMP 0000000100230758
.text    C:\Windows\system\Cm106eye.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                                          0000000077b80884 5 bytes JMP 0000000100230676
.text    C:\Windows\system\Cm106eye.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                              0000000077b80dd4 5 bytes JMP 00000001002303d0
.text    C:\Windows\system\Cm106eye.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                                        0000000077b81900 5 bytes JMP 0000000100230594
.text    C:\Windows\system\Cm106eye.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                                    0000000077b81bc4 5 bytes JMP 000000010023083a
.text    C:\Windows\system\Cm106eye.exe[3344] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                                                                           0000000077b81d50 5 bytes JMP 000000010023020c
.text    C:\Windows\system\Cm106eye.exe[3344] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                                                                          00000000770d524f 7 bytes JMP 0000000100230f52
.text    C:\Windows\system\Cm106eye.exe[3344] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                                                                              00000000770d53d0 7 bytes JMP 0000000100240210
.text    C:\Windows\system\Cm106eye.exe[3344] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                                                                             00000000770d5677 1 byte JMP 0000000100240048
.text    C:\Windows\system\Cm106eye.exe[3344] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                                                                             00000000770d5679 5 bytes {JMP 0xffffffff8916a9d1}
.text    C:\Windows\system\Cm106eye.exe[3344] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                                                                    00000000770d589a 7 bytes JMP 0000000100230ca6
.text    C:\Windows\system\Cm106eye.exe[3344] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                                                                    00000000770d5a1d 7 bytes JMP 00000001002403d8
.text    C:\Windows\system\Cm106eye.exe[3344] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                                                                               00000000770d5c9b 7 bytes JMP 000000010024012c
.text    C:\Windows\system\Cm106eye.exe[3344] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                                                                 00000000770d5d87 7 bytes JMP 00000001002402f4
.text    C:\Windows\system\Cm106eye.exe[3344] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                                                                00000000770d7240 7 bytes JMP 0000000100230e6e
.text    C:\Windows\system\Cm106eye.exe[3344] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                                                                               0000000075ac1492 7 bytes JMP 000000010024059e
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                              0000000077b7fc90 5 bytes JMP 000000010010091c
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                            0000000077b7fdf4 5 bytes JMP 0000000100100048
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                                     0000000077b7fe88 5 bytes JMP 00000001001002ee
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                  0000000077b7ffe4 5 bytes JMP 00000001001004b2
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                          0000000077b80018 5 bytes JMP 00000001001009fe
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                                  0000000077b80048 5 bytes JMP 0000000100100ae0
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                               0000000077b80064 5 bytes JMP 000000010002004c
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                  0000000077b8077c 5 bytes JMP 000000010010012a
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                      0000000077b8086c 5 bytes JMP 0000000100100758
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                0000000077b80884 5 bytes JMP 0000000100100676
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                    0000000077b80dd4 5 bytes JMP 00000001001003d0
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                              0000000077b81900 5 bytes JMP 0000000100100594
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                          0000000077b81bc4 5 bytes JMP 000000010010083a
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                                 0000000077b81d50 5 bytes JMP 000000010010020c
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                       0000000075cf1401 2 bytes [CF, 75]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                         0000000075cf1419 2 bytes [CF, 75]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                       0000000075cf1431 2 bytes [CF, 75]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                       0000000075cf144a 2 bytes [CF, 75]
.text    ...                                                                                                                                                                                          * 9
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                          0000000075cf14dd 2 bytes [CF, 75]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                   0000000075cf14f5 2 bytes [CF, 75]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                          0000000075cf150d 2 bytes [CF, 75]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                   0000000075cf1525 2 bytes [CF, 75]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                         0000000075cf153d 2 bytes [CF, 75]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                              0000000075cf1555 2 bytes [CF, 75]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                       0000000075cf156d 2 bytes [CF, 75]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                         0000000075cf1585 2 bytes [CF, 75]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                            0000000075cf159d 2 bytes [CF, 75]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                         0000000075cf15b5 2 bytes [CF, 75]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                       0000000075cf15cd 2 bytes [CF, 75]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                   0000000075cf16b2 2 bytes [CF, 75]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                   0000000075cf16bd 2 bytes [CF, 75]
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                                     0000000075ac1492 7 bytes JMP 0000000100110762
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                                00000000770d524f 7 bytes JMP 0000000100100f52
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                                    00000000770d53d0 7 bytes JMP 0000000100110210
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                                   00000000770d5677 1 byte JMP 0000000100110048
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                                   00000000770d5679 5 bytes {JMP 0xffffffff8903a9d1}
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                          00000000770d589a 7 bytes JMP 0000000100100ca6
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                          00000000770d5a1d 7 bytes JMP 00000001001103d8
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                                     00000000770d5c9b 7 bytes JMP 000000010011012c
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                       00000000770d5d87 7 bytes JMP 00000001001102f4
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3832] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                      00000000770d7240 7 bytes JMP 0000000100100e6e
.text    C:\Users\***\Desktop\gmer-2.0.18444.exe[2780] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                           0000000077b7fc90 5 bytes JMP 000000010028091c
.text    C:\Users\***\Desktop\gmer-2.0.18444.exe[2780] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                                                         0000000077b7fdf4 5 bytes JMP 0000000100280048
.text    C:\Users\***\Desktop\gmer-2.0.18444.exe[2780] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                                                                                  0000000077b7fe88 5 bytes JMP 00000001002802ee
.text    C:\Users\***\Desktop\gmer-2.0.18444.exe[2780] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                               0000000077b7ffe4 5 bytes JMP 00000001002804b2
.text    C:\Users\***\Desktop\gmer-2.0.18444.exe[2780] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                                       0000000077b80018 5 bytes JMP 00000001002809fe
.text    C:\Users\***\Desktop\gmer-2.0.18444.exe[2780] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                                                                                               0000000077b80048 5 bytes JMP 0000000100280ae0
.text    C:\Users\***\Desktop\gmer-2.0.18444.exe[2780] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                                                            0000000077b80064 5 bytes JMP 000000010002004c
.text    C:\Users\***\Desktop\gmer-2.0.18444.exe[2780] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                               0000000077b8077c 5 bytes JMP 000000010028012a
.text    C:\Users\***\Desktop\gmer-2.0.18444.exe[2780] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                                                                   0000000077b8086c 5 bytes JMP 0000000100280758
.text    C:\Users\***\Desktop\gmer-2.0.18444.exe[2780] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                             0000000077b80884 5 bytes JMP 0000000100280676
.text    C:\Users\***\Desktop\gmer-2.0.18444.exe[2780] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                                 0000000077b80dd4 5 bytes JMP 00000001002803d0
.text    C:\Users\***\Desktop\gmer-2.0.18444.exe[2780] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                           0000000077b81900 5 bytes JMP 0000000100280594
.text    C:\Users\***\Desktop\gmer-2.0.18444.exe[2780] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                       0000000077b81bc4 5 bytes JMP 000000010028083a
.text    C:\Users\***\Desktop\gmer-2.0.18444.exe[2780] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                                                                                              0000000077b81d50 5 bytes JMP 000000010028020c
.text    C:\Users\***\Desktop\gmer-2.0.18444.exe[2780] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206                                                                             00000000770d524f 7 bytes JMP 0000000100280f52
.text    C:\Users\***\Desktop\gmer-2.0.18444.exe[2780] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                                                                                 00000000770d53d0 7 bytes JMP 0000000100290210
.text    C:\Users\***\Desktop\gmer-2.0.18444.exe[2780] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149                                                                                00000000770d5677 1 byte JMP 0000000100290048
.text    C:\Users\***\Desktop\gmer-2.0.18444.exe[2780] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151                                                                                00000000770d5679 5 bytes {JMP 0xffffffff891ba9d1}
.text    C:\Users\***\Desktop\gmer-2.0.18444.exe[2780] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                                                                                       00000000770d589a 7 bytes JMP 0000000100280ca6
.text    C:\Users\***\Desktop\gmer-2.0.18444.exe[2780] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                                                                                       00000000770d5a1d 7 bytes JMP 00000001002903d8
.text    C:\Users\***\Desktop\gmer-2.0.18444.exe[2780] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                                                                                  00000000770d5c9b 7 bytes JMP 000000010029012c
.text    C:\Users\***\Desktop\gmer-2.0.18444.exe[2780] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                                                                                    00000000770d5d87 7 bytes JMP 00000001002902f4
.text    C:\Users\***\Desktop\gmer-2.0.18444.exe[2780] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123                                                                   00000000770d7240 7 bytes JMP 0000000100280e6e
.text    C:\Users\***\Desktop\gmer-2.0.18444.exe[2780] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                                                                                  0000000075ac1492 7 bytes JMP 00000001002904bc

---- User IAT/EAT - GMER 2.0 ----

IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2000] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord]      [7fef8e6741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2000] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet]                   [7fef8e65f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2000] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession]            [7fef8e65674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2000] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession]          [7fef8e65e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2000] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload]           [7fef8e67f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2000] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion]         [7fef8e66a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2000] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId]          [7fef8e66ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2000] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId]  [7fef8e67b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2000] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId]           [7fef8e67ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2000] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId]   [7fef8e678b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2000] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession]            [7fef8e64fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2000] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId]              [7fef8e65d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll
IAT      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2000] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString]     [7fef8e67584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll

---- Threads - GMER 2.0 ----

Thread   C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe [1440:1456]                                                                                                                  0000000000020060
Thread   C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [1676:1704]                                                                                                                     0000000000020060
Thread   C:\Program Files (x86)\Norton Internet Security\Engine\20.2.1.22\ccSvcHst.exe [1764:3876]                                                                                                    000000006abbe54e
Thread   C:\Program Files (x86)\Norton Internet Security\Engine\20.2.1.22\ccSvcHst.exe [1764:4072]                                                                                                    000000006949eec8
Thread   C:\Program Files (x86)\Norton Internet Security\Engine\20.2.1.22\ccSvcHst.exe [1764:4088]                                                                                                    000000006949eec8
Thread   C:\Program Files (x86)\Norton Internet Security\Engine\20.2.1.22\ccSvcHst.exe [1764:4056]                                                                                                    000000006949eec8
Thread   C:\Program Files (x86)\Norton Internet Security\Engine\20.2.1.22\ccSvcHst.exe [1764:2632]                                                                                                    000000007369319b
Thread   C:\Program Files (x86)\Norton Internet Security\Engine\20.2.1.22\ccSvcHst.exe [1764:1568]                                                                                                    00000000679e1854
Thread   C:\Program Files (x86)\Norton Internet Security\Engine\20.2.1.22\ccSvcHst.exe [1764:1896]                                                                                                    0000000064f07019
Thread   C:\Windows\SysWOW64\PnkBstrA.exe [1820:1828]                                                                                                                                                 0000000000020060
Thread   C:\ProgramData\BetterSoft\SaveByClick\SaveByClick.exe [2992:3028]                                                                                                                            0000000000020060
Thread   C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe [2776:2796]                                                                                                                  0000000000020060
Thread   C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe [2220:2892]                                                                                                                    0000000000020060
Thread   C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe [2448:2540]                                                                                                                   0000000000020060
Thread   C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe [2580:2640]                                                                                                                       0000000000030060
Thread   C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [3212:3220]                                                                                                                      0000000000030060
Thread   C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [3224:3256]                                                                                                                     0000000000020060
Thread   C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [3236:3268]                                                                                                              0000000000020060
Thread   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [3244:3272]                                                                                                                 0000000000020060
Thread   C:\Windows\system\Cm106eye.exe [3344:3360]                                                                                                                                                   0000000000020060
Thread   C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [3832:724]                                                                                                          0000000000020060
Thread   C:\Users\***\Desktop\gmer-2.0.18444.exe [2780:3008]                                                                                                                                      0000000000020060
---- Processes - GMER 2.0 ----

Library  ? (*** suspicious ***) @ C:\Program Files (x86)\Norton Internet Security\Engine\20.2.1.22\ccSvcHst.exe [1764]                                                                                0000000076c10000

---- Registry - GMER 2.0 ----

Reg      HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015aff7d29d                                                                                                                  
Reg      HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                                                                                             
Reg      HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                                                                                          0x00 0x00 0x00 0x00 ...
Reg      HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                                                                                          0
Reg      HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                                                                                       0x4E 0xA0 0x27 0x30 ...
Reg      HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015aff7d29d (not active ControlSet)                                                                                              
Reg      HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                                                                                         
Reg      HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                                                                                              0x00 0x00 0x00 0x00 ...
Reg      HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                                                                                              0
Reg      HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                                                                                           0x4E 0xA0 0x27 0x30 ...

---- EOF - GMER 2.0 ----

aswmbr

Code:

ATTFilter

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-01-25 17:23:18
-----------------------------
17:23:18.852    OS Version: Windows x64 6.1.7601 Service Pack 1
17:23:18.854    Number of processors: 2 586 0x1706
17:23:18.854    ComputerName: ***-PC  UserName: ***
17:23:20.954    Initialize success
17:24:22.845    AVAST engine defs: 13012500
17:24:46.010    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
17:24:46.013    Disk 0 Vendor: Hitachi_HTS543232L9A300 FB4OC40C Size: 305245MB BusType: 11
17:24:46.029    Disk 0 MBR read successfully
17:24:46.030    Disk 0 MBR scan
17:24:46.035    Disk 0 Windows 7 default MBR code
17:24:46.043    Disk 0 Partition 1 00     1C Hidd FAT32 LBA MSDOS5.0    10000 MB offset 2048
17:24:46.061    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS       152622 MB offset 20482048
17:24:46.066    Disk 0 Partition - 00     0F Extended LBA            142622 MB offset 333051904
17:24:46.103    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       142621 MB offset 333053952
17:24:46.129    Disk 0 scanning C:\Windows\system32\drivers
17:24:58.494    Service scanning
17:25:33.987    Modules scanning
17:25:33.995    Disk 0 trace - called modules:
17:25:34.020    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys 
17:25:34.025    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004c32060]
17:25:34.030    3 CLASSPNP.SYS[fffff88001baa43f] -> nt!IofCallDriver -> [0xfffffa80046c0520]
17:25:34.035    5 ACPI.sys[fffff88000f1c7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80046cf1f0]
17:25:34.697    AVAST engine scan C:\Windows
17:25:37.275    AVAST engine scan C:\Windows\system32
17:28:52.434    AVAST engine scan C:\Windows\system32\drivers
17:29:07.790    AVAST engine scan C:\Users\***
17:29:54.471    Disk 0 MBR has been saved successfully to "C:\Users\***\Desktop\MBR.dat"
17:29:54.477    The log file has been saved successfully to "C:\Users\***\Desktop\aswMBR 2013-01-25.1.txt"

bitteschön

cosinus · 26.01.2013, 19:08

Malwarebytes Anti-Rootkit

Downloade dir bitte Malwarebytes Anti-Rootkit und speichere es auf deinem Desktop.

Entpacke das Archiv auf deinem Desktop.
Im neu erstellten Ordner starte bitte die mbar.exe.
Folge den Anweisungen auf deinem Bildschirm und erlaube dem Tool, dein System zu scannen.
Klicke auf den CleanUp Button und erlaube den Neustart.
Während dem Neustart wird MBAR die gefundenen Objekte entfernen, also bleib geduldig.
Nach dem Neustart starte die mbar.exe erneut.
Sollte nochmal was gefunden werden, wiederhole den CleanUp Prozess.

Das Tool wird im erstellten Ordner eine Logfile ( mbar-log-<Jahr-Monat-Tag>.txt ) erzeugen. Bitte poste diese hier.

Starte keine andere Datei in diesem Ordner ohne Anweisung eines Helfers

Sensor · 26.01.2013, 22:53

Ich weis nicht wie ich hier vorgehen soll?
Das wurde direkt nach dem Ausführen der mbar.exe angezeigt.

cosinus · 26.01.2013, 23:18

Klick bitte auf NEIN

Sensor · 27.01.2013, 00:16

Hier ist die Logfile von mbar. Habe keinen Cleanup gebraucht, hat nichts gefunden.

Code:

ATTFilter

Malwarebytes Anti-Rootkit BETA 1.01.0.1016
www.malwarebytes.org

Database version: v2013.01.26.11

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
*** :: ***-PC [administrator]

27.01.2013 00:09:50
mbar-log-2013-01-27 (00-09-50).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled: 
Objects scanned: 30332
Time elapsed: 34 minute(s), 5 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

cosinus · 27.01.2013, 00:40

Ist unuaffällig

adwCleaner - Toolbars und ungewollte Start-/Suchseiten aufspüren

Downloade Dir bitte AdwCleaner auf deinen Desktop.

Falls der adwCleaner schon mal in der runtergeladen wurde, bitte die alte adwcleaner.exe löschen und neu runterladen!!

Starte die adwcleaner.exe mit einem Doppelklick.
Klicke auf Suche.
Nach Ende des Suchlaufs öffnet sich eine Textdatei.
Poste mir den Inhalt mit deiner nächsten Antwort.
Die Logdatei findest du auch unter C:\AdwCleaner[Rx].txt. (x=fortlaufende Nummer)

Sensor · 27.01.2013, 00:54

hier die AdwCleaner logfile

Code:

ATTFilter

# AdwCleaner v2.108 - Datei am 27/01/2013 um 00:45:53 erstellt
# Aktualisiert am 24/01/2013 von Xplode
# Betriebssystem : Windows 7 Professional Service Pack 1 (64 bits)
# Benutzer : *** - ***-PC
# Bootmodus : Normal
# Ausgeführt unter : C:\Users\***\Downloads\adwcleaner.exe
# Option [Suche]


**** [Dienste] ****


***** [Dateien / Ordner] *****

Datei Gefunden : C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\iydsqpdv.default\searchplugins\safesearch.xml
Ordner Gefunden : C:\Program Files (x86)\SaveByclick
Ordner Gefunden : C:\ProgramData\boost_interprocess
Ordner Gefunden : C:\ProgramData\InstallMate
Ordner Gefunden : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SaveByclick
Ordner Gefunden : C:\ProgramData\SaveByclick
Ordner Gefunden : C:\Users\***\AppData\LocalLow\boost_interprocess
Ordner Gefunden : C:\Users\***\AppData\Roaming\pdfforge
Ordner Gefunden : C:\Users\***1\AppData\LocalLow\boost_interprocess
Ordner Gefunden : C:\Users\***1\AppData\LocalLow\pdfforge
Ordner Gefunden : C:\Users\***1\AppData\LocalLow\Search Settings

***** [Registrierungsdatenbank] *****

Schlüssel Gefunden : HKCU\Software\AppDataLow\SProtector
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
Schlüssel Gefunden : HKLM\Software\SP Global
Schlüssel Gefunden : HKLM\Software\SProtector
Schlüssel Gefunden : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26B5A6D1-1F75-3B59-5825-E4D4CAE3445D}

***** [Internet Browser] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Die Registrierungsdatenbank ist sauber.

-\\ Mozilla Firefox v18.0.1 (de)

Datei : C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\iydsqpdv.default\prefs.js

Gefunden : user_pref("aol_toolbar.default.homepage.check", false);
Gefunden : user_pref("aol_toolbar.default.search.check", false);
Gefunden : user_pref("extensions.50fdb67008a21.scode", "(function(){try{if('aol.com,mail.google.com,mystart.inc[...]
Gefunden : user_pref("extensions.BabylonToolbar.prtkDS", 0);
Gefunden : user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
Gefunden : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");
Gefunden : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
Gefunden : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");
Gefunden : user_pref("sweetim.toolbar.previous.keyword.URL", "");
Gefunden : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
Gefunden : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
Gefunden : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
Gefunden : user_pref("sweetim.toolbar.searchguard.enable", "");

Datei : C:\Users\***1\AppData\Roaming\Mozilla\Firefox\Profiles\87hontx6.default\prefs.js

[OK] Die Datei ist sauber.

-\\ Google Chrome v [Version kann nicht ermittelt werden]

Datei : C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] Die Datei ist sauber.

*************************

AdwCleaner[R1].txt - [3118 octets] - [27/01/2013 00:45:53]

########## EOF - C:\AdwCleaner[R1].txt - [3178 octets] ##########

cosinus · 27.01.2013, 01:06

adwCleaner - Toolbars und ungewollte Start-/Suchseiten entfernen

Schließe alle offenen Programme und Browser.
Starte die adwcleaner.exe mit einem Doppelklick.
Klicke auf Löschen.
Bestätige jeweils mit Ok.
Dein Rechner wird neu gestartet. Nach dem Neustart öffnet sich eine Textdatei.
Poste mir den Inhalt mit deiner nächsten Antwort.
Die Logdatei findest du auch unter C:\AdwCleaner[Sx].txt. (x=fortlaufende Nummer)

Danach eine Kontrolle mit OTL bitte:

Doppelklick auf die OTL.exe
Vista User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen
Setze oben mittig den Haken bei Scanne alle Benutzer
Oben findest Du ein Kästchen mit Output. Wähle bitte Minimal Output
Unter Extra Registry, wähle bitte Use SafeList
Klicke nun auf Run Scan links oben
Wenn der Scan beendet wurde werden 2 Logfiles erstellt
Poste die Logfiles in CODE-Tags hier in den Thread.

Sensor · 27.01.2013, 01:41

Also so schauts aus

AdwCleaner

Code:

ATTFilter

# AdwCleaner v2.108 - Datei am 27/01/2013 um 01:15:20 erstellt
# Aktualisiert am 24/01/2013 von Xplode
# Betriebssystem : Windows 7 Professional Service Pack 1 (64 bits)
# Benutzer : *** - ***-PC
# Bootmodus : Normal
# Ausgeführt unter : C:\Users\***\Desktop\adwcleaner.exe
# Option [Löschen]


**** [Dienste] ****


***** [Dateien / Ordner] *****

Datei Gelöscht : C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\iydsqpdv.default\searchplugins\safesearch.xml
Ordner Gelöscht : C:\Program Files (x86)\SaveByclick
Ordner Gelöscht : C:\ProgramData\boost_interprocess
Ordner Gelöscht : C:\ProgramData\InstallMate
Ordner Gelöscht : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SaveByclick
Ordner Gelöscht : C:\ProgramData\SaveByclick
Ordner Gelöscht : C:\Users\***\AppData\LocalLow\boost_interprocess
Ordner Gelöscht : C:\Users\***\AppData\Roaming\pdfforge
Ordner Gelöscht : C:\Users\***1\AppData\LocalLow\boost_interprocess
Ordner Gelöscht : C:\Users\***1\AppData\LocalLow\pdfforge
Ordner Gelöscht : C:\Users\***1\AppData\LocalLow\Search Settings

***** [Registrierungsdatenbank] *****

Schlüssel Gelöscht : HKCU\Software\AppDataLow\SProtector
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
Schlüssel Gelöscht : HKLM\Software\SP Global
Schlüssel Gelöscht : HKLM\Software\SProtector
Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26B5A6D1-1F75-3B59-5825-E4D4CAE3445D}

***** [Internet Browser] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Die Registrierungsdatenbank ist sauber.

-\\ Mozilla Firefox v18.0.1 (de)

Datei : C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\iydsqpdv.default\prefs.js

Gelöscht : user_pref("aol_toolbar.default.homepage.check", false);
Gelöscht : user_pref("aol_toolbar.default.search.check", false);
Gelöscht : user_pref("extensions.50fdb67008a21.scode", "(function(){try{if('aol.com,mail.google.com,mystart.inc[...]
Gelöscht : user_pref("extensions.BabylonToolbar.prtkDS", 0);
Gelöscht : user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
Gelöscht : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");
Gelöscht : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
Gelöscht : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");
Gelöscht : user_pref("sweetim.toolbar.previous.keyword.URL", "");
Gelöscht : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
Gelöscht : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
Gelöscht : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
Gelöscht : user_pref("sweetim.toolbar.searchguard.enable", "");

Datei : C:\Users\***1\AppData\Roaming\Mozilla\Firefox\Profiles\87hontx6.default\prefs.js

[OK] Die Datei ist sauber.

-\\ Google Chrome v [Version kann nicht ermittelt werden]

Datei : C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] Die Datei ist sauber.

*************************

AdwCleaner[R1].txt - [3247 octets] - [27/01/2013 00:45:53]
AdwCleaner[S1].txt - [3178 octets] - [27/01/2013 01:15:20]

########## EOF - C:\AdwCleaner[S1].txt - [3238 octets] ##########

Extras

Code:

ATTFilter

OTL Extras logfile created on: 27.01.2013 01:23:20 - Run 3
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\***\Desktop
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
4,00 Gb Total Physical Memory | 2,51 Gb Available Physical Memory | 62,66% Memory free
8,00 Gb Paging File | 6,50 Gb Available in Paging File | 81,29% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 149,04 Gb Total Space | 81,64 Gb Free Space | 54,77% Space Free | Partition Type: NTFS
Drive D: | 139,28 Gb Total Space | 41,31 Gb Free Space | 29,66% Space Free | Partition Type: NTFS
 
Computer Name: ***-PC | User Name: *** | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
 
[HKEY_USERS\S-1-5-21-4015648632-354441547-1344828329-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" (VideoLAN)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" (VideoLAN)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" (VideoLAN)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" (VideoLAN)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01  [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
 
========== System Restore Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{08F42B29-8E88-45DC-AAB2-41C43E944B70}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{0A971F51-64C4-43B8-B7BE-AF5687353B50}" = lport=137 | protocol=17 | dir=in | app=system | 
"{1717225A-9B8C-4D5E-A3A3-547AB0740D17}" = rport=137 | protocol=17 | dir=out | app=system | 
"{1974B330-F228-4695-81A1-18A69A0E8AB8}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{25AE39A0-BCE9-4838-A7AD-86248E3F43FC}" = rport=139 | protocol=6 | dir=out | app=system | 
"{2B10888A-91B5-46A3-9E2D-2CD9D4D7C231}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | 
"{2C2AC48F-5462-4621-8B49-0EB80324480C}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe | 
"{3C5076B8-F69F-4F59-919F-2ADFBAFA4DB7}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{4B891F16-F3ED-45AB-91AD-2A4CF513DCD3}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe | 
"{5293B108-25CB-4D2F-A29F-55183FBF1133}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | 
"{70BA7C49-F445-41A8-B16C-7F82814C4124}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{73E9BC12-ED1C-4A9E-A28D-38AEBF036394}" = lport=138 | protocol=17 | dir=in | app=system | 
"{83AF3075-3AA3-413E-AD8D-E9E1C638C583}" = lport=445 | protocol=6 | dir=in | app=system | 
"{9668BE01-ABDA-4E0C-A0C9-FD675BE55280}" = rport=138 | protocol=17 | dir=out | app=system | 
"{9DF4800F-B677-4FB8-87C6-2C0A723A5210}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe | 
"{A8D59339-8E4C-41C5-BFE0-25723D6E032E}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{B4BE5194-D59E-4DC7-A4B1-C9472E9EA7DE}" = rport=445 | protocol=6 | dir=out | app=system | 
"{C17A8CB3-4F09-4FAB-8287-03D51AE4B7DD}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{D436BC1E-2D42-4F0F-A84E-D466EFA36460}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{DB793620-B130-499F-BC9F-FA0DC11F6B6E}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe | 
"{F638C3ED-198B-47C0-98D0-93ACDE1DDDCF}" = lport=6004 | protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\outlook.exe | 
"{F8C7CCBE-BFFE-40D4-8A92-DBF40A1C6CB7}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{FEEF7CCE-C3CB-4B20-9442-843F17802C7D}" = lport=139 | protocol=6 | dir=in | app=system | 
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{07FC01E5-A3D9-4655-BDC5-C89786282EDD}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{08795F16-EA9D-4B0A-8D28-AB631DEB2EDD}" = protocol=6 | dir=in | app=d:\program files (x86)\ea games\mirror's edge\binaries\mirrorsedge.exe | 
"{09359EC2-70B2-4CDF-B638-2F9DE75CDF8D}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | 
"{0D28144B-E2F5-4009-BFD6-1C7FC9C6E3B5}" = protocol=6 | dir=in | app=c:\windows\syswow64\pnkbstrb.exe | 
"{196C865D-A327-44AE-B8C5-1E50C7370BCF}" = protocol=6 | dir=in | app=d:\program files (x86)\steam\steamapps\common\planetside 2\launchpad.exe | 
"{29FF4B01-C584-48D3-B5E8-9BD1E6D6E7E3}" = protocol=17 | dir=in | app=d:\program files (x86)\origin games\mass effect 3\binaries\win32\masseffect3.exe | 
"{2B35474F-BFD9-4383-9FDC-5D596C74E883}" = protocol=17 | dir=in | app=d:\program files (x86)\ubisoft\assassin's creed\assassinscreed_dx10.exe | 
"{2BF2483A-DA94-4DDC-9A5C-99E272073134}" = protocol=6 | dir=in | app=d:\program files (x86)\rockstar games\grand theft auto iv\launchgtaiv.exe | 
"{340AF183-4E52-4D0B-9D75-228DF62537FD}" = protocol=17 | dir=in | app=d:\program files (x86)\rockstar games\grand theft auto iv\launchgtaiv.exe | 
"{452DF664-1933-4450-9DA1-9D0DBBC7C1BD}" = protocol=17 | dir=in | app=d:\program files (x86)\ea games\mirror's edge\binaries\mirrorsedge.exe | 
"{485B39E8-1AA1-4CA7-BDD7-E104E86CAB18}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | 
"{4897AFA2-2F35-480A-AD13-ABA1A9984E1B}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe | 
"{540B75E0-990E-4E3F-A43A-DBBB03201834}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | 
"{58B9E731-316C-41CC-9002-4FE8754EBD8B}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{5D17B9A4-DFAA-4027-83F0-36A1961B6CE0}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{7390C7A1-3E98-41C2-8BE0-489580A51C3F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{73EA2673-DCCE-4FCF-A406-BC4204EAA098}" = protocol=6 | dir=in | app=d:\program files (x86)\origin games\mass effect 3\binaries\win32\masseffect3.exe | 
"{777856B9-3FA6-4926-999D-359EADA84B35}" = protocol=17 | dir=in | app=d:\program files (x86)\steam\steam.exe | 
"{77A72245-2698-414C-8FF4-1C79469E8287}" = protocol=6 | dir=in | app=d:\program files (x86)\steam\steam.exe | 
"{7C21A0F2-0ADA-4F7F-BF4B-F2D067259A98}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | 
"{7EA91630-37EA-409E-8E1E-0D41B92CE89F}" = protocol=6 | dir=in | app=d:\program files (x86)\ubisoft\assassin's creed\assassinscreed_dx10.exe | 
"{8AEB5412-94B1-4DFB-9268-482F9BEE93DD}" = protocol=17 | dir=in | app=d:\program files (x86)\ubisoft\assassin's creed\assassinscreed_launcher.exe | 
"{A40F6565-68BF-4796-B7A4-E1ECCD14EB06}" = protocol=17 | dir=in | app=c:\windows\syswow64\pnkbstra.exe | 
"{AD9A790B-A525-429D-B055-1144E18FEF40}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{B90021BD-F3A3-459E-82B9-4EE27B209CF7}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | 
"{C63588D4-E70D-4441-84F4-0829DBC11348}" = protocol=6 | dir=in | app=d:\program files (x86)\origin games\mass effect 3\binaries\win32\masseffect3.exe | 
"{CB875A41-9F7F-4C94-BAFB-CC1C8CFC1A2D}" = protocol=17 | dir=in | app=c:\windows\syswow64\pnkbstrb.exe | 
"{D4D21CF2-7369-49ED-AC94-1BF682095321}" = protocol=17 | dir=in | app=d:\program files (x86)\origin games\mass effect 3\binaries\win32\masseffect3.exe | 
"{D753A51F-3D4B-43F7-B98C-458999CCF47A}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{E234252D-5387-4E77-997D-3F9EBCD45F3B}" = protocol=6 | dir=in | app=c:\windows\syswow64\pnkbstra.exe | 
"{E872D1F5-36DA-451D-BDC7-51EB46691558}" = protocol=17 | dir=in | app=d:\program files (x86)\ubisoft\assassin's creed\assassinscreed_dx9.exe | 
"{ECA2C93F-CEB9-489D-B8F6-C77619803357}" = protocol=6 | dir=in | app=d:\program files (x86)\ubisoft\assassin's creed\assassinscreed_launcher.exe | 
"{F1FD6B92-2B25-4E8A-BB17-9DA55FDDDD6F}" = protocol=6 | dir=in | app=d:\program files (x86)\ubisoft\assassin's creed\assassinscreed_dx9.exe | 
"{FAB5D6CE-F837-44B1-81C7-D71EEBE79A32}" = protocol=17 | dir=in | app=d:\program files (x86)\steam\steamapps\common\planetside 2\launchpad.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0E3DAF3D-FF69-345A-A99E-1FED304CA083}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" = Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
"{26A24AE4-039D-4CA4-87B4-2F86416030FF}" = Java(TM) 6 Update 30 (64-bit)
"{26A24AE4-039D-4CA4-87B4-2F86417010FF}" = Java 7 Update 10 (64-bit)
"{529125EF-E3AC-4B74-97E6-F688A7C0F1C0}" = Paint.NET v3.5.10
"{58AA7AEC-49F5-485F-AAB4-01D78349581A}" = SaveByClick
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0407-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (German) 2007
"{9B48B0AC-C813-4174-9042-476A887592C7}" = Windows Live ID Sign-in Assistant
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Touch Pad Driver
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Systemsteuerung 301.42
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Grafiktreiber 301.42
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX-Systemsoftware 9.12.0213
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.8.15
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver" = NVIDIA HD-Audiotreiber 1.3.16.0
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{B3B750C0-8C22-439D-B7CE-67F3ED99CC2B}" = Microsoft Xbox 360 Accessories 1.2
"{E6C44758-FF49-47D1-8182-65E3818ACE23}" = AuthenTec TrueSuite
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"CANONIJINBOXADDON200" = Canon Inkjet Printer Driver Add-On Module V2.00
"CCleaner" = CCleaner
"C-Media CM106 Like Sound Driver" = MEDUSA NX USB 5.1 Gaming Headset
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"SaveByClick" = 
"SP6" = Logitech SetPoint 6.32
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"WinRAR archiver" = WinRAR
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{22E95014-3038-4909-8708-48AE7FEFBF05}" = DSL Connection Manager
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
"{26A24AE4-039D-4CA4-87B4-2F83217010FF}" = Java 7 Update 11
"{33286280-8617-11E1-8FF6-B8AC6F97B88E}" = Google Earth Plug-in
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = eReg
"{3F0D0ABE-CDAF-431A-00BC-CBBE018EA74E}" = SimCity 4 Deluxe
"{40580068-9B10-40B5-9548-536CE88AB23C}" = ITECIR
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CB0307C-565E-4441-86BE-0DF2E4FB828C}" = Microsoft Games for Windows Marketplace
"{534A31BD-20F4-46b0-85CE-09778379663C}" = Mass Effect™ 3
"{5454083B-1308-4485-BF17-1110000D8301}" = Grand Theft Auto IV
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{579BA58C-F33D-4970-9953-B94B43768AC3}" = Grand Theft Auto IV
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.55.03
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6AFCA4E1-9B78-3640-8F72-A7BF33448200}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = Avanquest update
"{832D9DE0-8AFC-4689-9819-4DBBDEBD3E4F}" = Microsoft Games for Windows - LIVE Redistributable
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8CFA9151-6404-409A-AF22-4632D04582FD}" = Assassin's Creed
"{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007
"{90120000-0015-0407-0000-0000000FF1CE}_PROPLUSR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_PROPLUSR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_PROPLUSR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2007
"{90120000-0019-0407-0000-0000000FF1CE}_PROPLUSR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007
"{90120000-001A-0407-0000-0000000FF1CE}_PROPLUSR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_PROPLUSR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_PROPLUSR_{928D7B99-2BEA-49F9-83B8-20FA57860643}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUSR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUSR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_PROPLUSR_{A23BFC95-4A73-410F-9248-4C2B48E38C49}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002A-0000-1000-0000000FF1CE}_PROPLUSR_{664655D8-B9BB-455D-8A58-7EAF7B0B2862}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-002A-0407-1000-0000000FF1CE}_PROPLUSR_{A6353E8F-5B8D-47CC-8737-DFF032ED3973}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-0044-0407-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2007
"{90120000-0044-0407-0000-0000000FF1CE}_PROPLUSR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_PROPLUSR_{A6353E8F-5B8D-47CC-8737-DFF032ED3973}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{91120000-0011-0000-0000-0000000FF1CE}_PROPLUSR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9A5B876D-A900-4AAB-B557-DE827BE46E6C}" = Nero 8 Essentials
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB5C933E-5C7D-4D30-B314-9C83A49B94BE}" = ATK Package
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.5) - Deutsch
"{ADB1DE83-FC42-4C3F-B64B-2AF2215EF88B}" = Cisco AnyConnect Secure Mobility Client
"{AEDBD563-24BB-4EE3-8366-A654DAC2D988}" = Mirror's Edge™
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
"{D3D54F3E-C5C3-443D-978F-87A72E5616E8}" = ATK Generic Function Service
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{DA909E62-3B45-4BA1-8B58-FCAEBA4BCEC9}" = NVIDIA PhysX
"{EA17F4FC-FDBF-4CF8-A529-2D983132D053}" = Skype™ 6.0
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{F7FC9307-374E-4017-8E9D-DE1154780480}" = System Requirements Lab for Intel
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"AVMFBox" = AVM FRITZ!Box Dokumentation
"AVMFBoxPrinter" = AVM FRITZ!Box Druckeranschluss
"Cisco AnyConnect Secure Mobility Client" = Cisco AnyConnect Secure Mobility Client 
"DivX Setup.divx.com" = DivX-Setup
"ElsterFormular 13.2.0.8623p" = ElsterFormular
"Fraps" = Fraps (remove only)
"Generic USB 106 Sound" = SL-8795 Headset
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.70.0.1100
"Mass Effect 2 German_is1" = Mass Effect 2 German
"Mozilla Firefox 18.0.1 (x86 de)" = Mozilla Firefox 18.0.1 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"NIS" = Norton Internet Security
"Origin" = Origin
"PROPLUSR" = Microsoft Office Professional Plus 2007
"PunkBusterSvc" = PunkBuster Services
"ScummVM_is1" = ScummVM 1.5.0
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.5.20
"SP_661c9f97" = 
"Steam App 218" = Source SDK Base 2007
"Steam App 218230" = PlanetSide 2
"Steam App 440" = Team Fortress 2
"Sweet Home 3D_is1" = Sweet Home 3D version 3.1
"SystemRequirementsLab" = System Requirements Lab
"Trillian" = Trillian
"VLC media player" = VLC media player 2.0.5
"XnView_is1" = XnView 1.97.6
 
========== HKEY_USERS Uninstall List ==========
 
[HKEY_USERS\S-1-5-21-4015648632-354441547-1344828329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Amazon Kindle" = Amazon Kindle
"Spotify" = Spotify
"TeamSpeak 3 Client" = TeamSpeak 3 Client
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 15.01.2013 19:41:32 | Computer Name = ***-PC | Source = SideBySide | ID = 16842832
Description = Fehler beim Generieren des Aktivierungskontexts für "C:\Program Files
 (x86)\Nero\Nero8\Nero PhotoSnap\PhotoSnapViewer.exe". Fehler in  Manifest- oder Richtliniendatei
 "" in Zeile .  Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt
 mit  einer anderen, bereits aktiven Komponentenversion.  In Konflikt stehende Komponenten:.
Komponente
 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
Komponente
 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
 
Error - 19.01.2013 14:25:03 | Computer Name = ***-PC | Source = SideBySide | ID = 16842827
Description = Fehler beim Generieren des Aktivierungskontextes für "C:\Program Files
 (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPluginBroker.exe". Fehler in Manifest-
 oder Richtliniendatei "C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPluginBroker.exe"
 in Zeile 2.  Mehrere requestedPrivileges-Elemente sind nicht im Manifest zulässig.
 
Error - 19.01.2013 14:25:04 | Computer Name = ***-PC | Source = SideBySide | ID = 16842832
Description = Fehler beim Generieren des Aktivierungskontexts für "C:\Program Files
 (x86)\Nero\Nero8\Nero Toolkit\DiscSpeed.exe". Fehler in  Manifest- oder Richtliniendatei
 "" in Zeile .  Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt
 mit  einer anderen, bereits aktiven Komponentenversion.  In Konflikt stehende Komponenten:.
Komponente
 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente
 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
 
Error - 19.01.2013 14:25:05 | Computer Name = ***-PC | Source = SideBySide | ID = 16842832
Description = Fehler beim Generieren des Aktivierungskontexts für "C:\Program Files
 (x86)\Nero\Nero8\Nero PhotoSnap\PhotoSnap.exe". Fehler in  Manifest- oder Richtliniendatei
 "" in Zeile .  Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt
 mit  einer anderen, bereits aktiven Komponentenversion.  In Konflikt stehende Komponenten:.
Komponente
 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
Komponente
 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
 
Error - 19.01.2013 14:25:05 | Computer Name = ***-PC | Source = SideBySide | ID = 16842832
Description = Fehler beim Generieren des Aktivierungskontexts für "C:\Program Files
 (x86)\Nero\Nero8\Nero PhotoSnap\PhotoSnapViewer.exe". Fehler in  Manifest- oder Richtliniendatei
 "" in Zeile .  Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt
 mit  einer anderen, bereits aktiven Komponentenversion.  In Konflikt stehende Komponenten:.
Komponente
 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
Komponente
 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
 
Error - 20.01.2013 16:13:01 | Computer Name = ***-PC | Source = Windows Backup | ID = 4103
Description = 
 
Error - 20.01.2013 16:22:56 | Computer Name = ***-PC | Source = Windows Backup | ID = 4103
Description = 
 
Error - 21.01.2013 11:48:21 | Computer Name = ***-PC | Source = SideBySide | ID = 16842827
Description = Fehler beim Generieren des Aktivierungskontextes für "C:\Program Files
 (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPluginBroker.exe". Fehler in Manifest-
 oder Richtliniendatei "C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPluginBroker.exe"
 in Zeile 2.  Mehrere requestedPrivileges-Elemente sind nicht im Manifest zulässig.
 
Error - 21.01.2013 11:48:26 | Computer Name = ***-PC | Source = SideBySide | ID = 16842832
Description = Fehler beim Generieren des Aktivierungskontexts für "C:\Program Files
 (x86)\Nero\Nero8\Nero Toolkit\DiscSpeed.exe". Fehler in  Manifest- oder Richtliniendatei
 "" in Zeile .  Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt
 mit  einer anderen, bereits aktiven Komponentenversion.  In Konflikt stehende Komponenten:.
Komponente
 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente
 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
 
Error - 21.01.2013 11:48:27 | Computer Name = ***-PC | Source = SideBySide | ID = 16842832
Description = Fehler beim Generieren des Aktivierungskontexts für "C:\Program Files
 (x86)\Nero\Nero8\Nero PhotoSnap\PhotoSnap.exe". Fehler in  Manifest- oder Richtliniendatei
 "" in Zeile .  Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt
 mit  einer anderen, bereits aktiven Komponentenversion.  In Konflikt stehende Komponenten:.
Komponente
 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
Komponente
 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
 
Error - 21.01.2013 11:48:27 | Computer Name = ***-PC | Source = SideBySide | ID = 16842832
Description = Fehler beim Generieren des Aktivierungskontexts für "C:\Program Files
 (x86)\Nero\Nero8\Nero PhotoSnap\PhotoSnapViewer.exe". Fehler in  Manifest- oder Richtliniendatei
 "" in Zeile .  Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt
 mit  einer anderen, bereits aktiven Komponentenversion.  In Konflikt stehende Komponenten:.
Komponente
 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
Komponente
 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
 
[ Cisco AnyConnect Secure Mobility Client Events ]
Error - 28.03.2012 08:28:22 | Computer Name = ***-PC | Source = acvpnagent | ID = 67108866
Description = Function: ProfileMgr::loadProfile File: .\ProfileMgr.cpp Line: 518 Invoked
 Function: ProfileMgr::loadProfile Return Code: -33554423 (0xFE000009) Description:
 GLOBAL_ERROR_UNEXPECTED Duplicate host <asa-cluster.lrz.de> found in the profile
 <C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\lrz.xml>.
 Host discarded.
 
Error - 28.03.2012 08:28:41 | Computer Name = ***-PC | Source = acvpnagent | ID = 67108866
Description = Function: CThread::invokeRun File: .\Utility\Thread.cpp Line: 376 Invoked
 Function: IRunnable::Run Return Code: -32047093 (0xFE17000B) Description: BROWSERPROXY_ERROR_NO_PROXY_FILE

 
Error - 29.03.2012 07:28:35 | Computer Name = ***-PC | Source = acvpnagent | ID = 67108866
Description = Function: ProfileMgr::loadProfile File: .\ProfileMgr.cpp Line: 518 Invoked
 Function: ProfileMgr::loadProfile Return Code: -33554423 (0xFE000009) Description:
 GLOBAL_ERROR_UNEXPECTED Duplicate host <asa-cluster.lrz.de> found in the profile
 <C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\lrz.xml>.
 Host discarded.
 
Error - 29.03.2012 07:28:49 | Computer Name = ***-PC | Source = acvpnagent | ID = 67108866
Description = Function: CThread::invokeRun File: .\Utility\Thread.cpp Line: 376 Invoked
 Function: IRunnable::Run Return Code: -32047093 (0xFE17000B) Description: BROWSERPROXY_ERROR_NO_PROXY_FILE

 
Error - 30.03.2012 04:20:12 | Computer Name = ***-PC | Source = acvpnagent | ID = 67108866
Description = Function: ProfileMgr::loadProfile File: .\ProfileMgr.cpp Line: 518 Invoked
 Function: ProfileMgr::loadProfile Return Code: -33554423 (0xFE000009) Description:
 GLOBAL_ERROR_UNEXPECTED Duplicate host <asa-cluster.lrz.de> found in the profile
 <C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\lrz.xml>.
 Host discarded.
 
Error - 30.03.2012 04:20:49 | Computer Name = ***-PC | Source = acvpnagent | ID = 67108866
Description = Function: CThread::invokeRun File: .\Utility\Thread.cpp Line: 376 Invoked
 Function: IRunnable::Run Return Code: -32047093 (0xFE17000B) Description: BROWSERPROXY_ERROR_NO_PROXY_FILE

 
Error - 30.03.2012 05:16:04 | Computer Name = ***-PC | Source = acvpnagent | ID = 67108866
Description = Function: ProfileMgr::loadProfile File: .\ProfileMgr.cpp Line: 518 Invoked
 Function: ProfileMgr::loadProfile Return Code: -33554423 (0xFE000009) Description:
 GLOBAL_ERROR_UNEXPECTED Duplicate host <asa-cluster.lrz.de> found in the profile
 <C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\lrz.xml>.
 Host discarded.
 
Error - 30.03.2012 12:23:34 | Computer Name = ***-PC | Source = acvpnagent | ID = 67108866
Description = Function: ProfileMgr::loadProfile File: .\ProfileMgr.cpp Line: 518 Invoked
 Function: ProfileMgr::loadProfile Return Code: -33554423 (0xFE000009) Description:
 GLOBAL_ERROR_UNEXPECTED Duplicate host <asa-cluster.lrz.de> found in the profile
 <C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\lrz.xml>.
 Host discarded.
 
Error - 30.03.2012 12:26:22 | Computer Name = ***-PC | Source = acvpnagent | ID = 67108866
Description = Function: CThread::invokeRun File: .\Utility\Thread.cpp Line: 376 Invoked
 Function: IRunnable::Run Return Code: -32047093 (0xFE17000B) Description: BROWSERPROXY_ERROR_NO_PROXY_FILE

 
Error - 30.03.2012 15:10:09 | Computer Name = ***-PC | Source = acvpnagent | ID = 67110873
Description = Termination reason code 7: The agent has been stopped.
 
[ Media Center Events ]
Error - 28.09.2011 07:59:58 | Computer Name = ***-PC | Source = MCUpdate | ID = 0
Description = 13:59:55 - Directory konnte nicht abgerufen werden (Fehler: Timeout
 für Vorgang überschritten)  
 
Error - 05.10.2011 05:10:27 | Computer Name = ***-PC | Source = MCUpdate | ID = 0
Description = 11:10:26 - Fehler beim Herstellen der Internetverbindung.  11:10:26 
-     Serververbindung konnte nicht hergestellt werden..  
 
Error - 05.10.2011 05:11:13 | Computer Name = ***-PC | Source = MCUpdate | ID = 0
Description = 11:10:56 - Fehler beim Herstellen der Internetverbindung.  11:10:56 
-     Serververbindung konnte nicht hergestellt werden..  
 
[ System Events ]
Error - 22.01.2013 15:27:34 | Computer Name = ***-PC | Source = Service Control Manager | ID = 7003
Description = Der Dienst "ATKGFNEX Service" ist von folgendem Dienst abhängig: ASMMAP64.
 Dieser Dienst ist eventuell nicht installiert.
 
Error - 22.01.2013 15:57:49 | Computer Name = ***-PC | Source = Service Control Manager | ID = 7003
Description = Der Dienst "ATKGFNEX Service" ist von folgendem Dienst abhängig: ASMMAP64.
 Dieser Dienst ist eventuell nicht installiert.
 
Error - 22.01.2013 16:31:03 | Computer Name = ***-PC | Source = Service Control Manager | ID = 7003
Description = Der Dienst "ATKGFNEX Service" ist von folgendem Dienst abhängig: ASMMAP64.
 Dieser Dienst ist eventuell nicht installiert.
 
Error - 22.01.2013 16:48:04 | Computer Name = ***-PC | Source = volsnap | ID = 393230
Description = Die Schattenkopien von Volume "F:" wurden aufgrund eines E/A-Fehlers
 auf Volume "F:" abgebrochen.
 
Error - 23.01.2013 03:45:56 | Computer Name = ***-PC | Source = Service Control Manager | ID = 7003
Description = Der Dienst "ATKGFNEX Service" ist von folgendem Dienst abhängig: ASMMAP64.
 Dieser Dienst ist eventuell nicht installiert.
 
Error - 24.01.2013 05:36:51 | Computer Name = ***-PC | Source = Service Control Manager | ID = 7003
Description = Der Dienst "ATKGFNEX Service" ist von folgendem Dienst abhängig: ASMMAP64.
 Dieser Dienst ist eventuell nicht installiert.
 
Error - 25.01.2013 05:38:09 | Computer Name = ***-PC | Source = Service Control Manager | ID = 7003
Description = Der Dienst "ATKGFNEX Service" ist von folgendem Dienst abhängig: ASMMAP64.
 Dieser Dienst ist eventuell nicht installiert.
 
Error - 25.01.2013 12:07:22 | Computer Name = ***-PC | Source = Service Control Manager | ID = 7003
Description = Der Dienst "ATKGFNEX Service" ist von folgendem Dienst abhängig: ASMMAP64.
 Dieser Dienst ist eventuell nicht installiert.
 
Error - 25.01.2013 12:32:54 | Computer Name = ***-PC | Source = Service Control Manager | ID = 7003
Description = Der Dienst "ATKGFNEX Service" ist von folgendem Dienst abhängig: ASMMAP64.
 Dieser Dienst ist eventuell nicht installiert.
 
Error - 26.01.2013 20:17:55 | Computer Name = ***-PC | Source = Service Control Manager | ID = 7003
Description = Der Dienst "ATKGFNEX Service" ist von folgendem Dienst abhängig: ASMMAP64.
 Dieser Dienst ist eventuell nicht installiert.
 
 
< End of report >

und OTL

Code:

ATTFilter

OTL logfile created on: 27.01.2013 01:23:20 - Run 3
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\***\Desktop
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
4,00 Gb Total Physical Memory | 2,51 Gb Available Physical Memory | 62,66% Memory free
8,00 Gb Paging File | 6,50 Gb Available in Paging File | 81,29% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 149,04 Gb Total Space | 81,64 Gb Free Space | 54,77% Space Free | Partition Type: NTFS
Drive D: | 139,28 Gb Total Space | 41,31 Gb Free Space | 29,66% Space Free | Partition Type: NTFS
 
Computer Name: ***-PC | User Name: *** | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\***\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\ProgramData\BetterSoft\SaveByClick\SaveByClick.exe ()
PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files (x86)\Norton Internet Security\Engine\20.2.1.22\ccSvcHst.exe (Symantec Corporation)
PRC - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation)
PRC - C:\Windows\SysWOW64\PnkBstrA.exe ()
PRC - C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe (ASUS)
PRC - C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe (ASUS)
PRC - C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe (ASUS)
PRC - C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe (ASUS)
PRC - C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe (ASUS)
PRC - C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe (ASUS)
PRC - C:\Windows\system\cm106eye.exe ()
PRC - C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe (ASUS)
PRC - C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe (ASUS)
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\PROGRAM FILES (X86)\NORTON INTERNET SECURITY\ENGINE\20.2.1.22\wincfi39.dll ()
MOD - C:\Windows\system\cm106eye.exe ()
MOD - C:\Windows\system\cmau106.dll ()
 
 
========== Services (SafeList) ==========
 
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV - (MozillaMaintenance) -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (Steam Client Service) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (NIS) -- C:\Program Files (x86)\Norton Internet Security\Engine\20.2.1.22\ccSvcHst.exe (Symantec Corporation)
SRV - (SkypeUpdate) -- C:\Program Files (x86)\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (nvUpdatusService) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation)
SRV - (LBTServ) -- C:\Programme\Common Files\LogiShrd\Bluetooth\LBTServ.exe (Logitech, Inc.)
SRV - (vpnagent) -- C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe (Cisco Systems, Inc.)
SRV - (PnkBstrA) -- C:\Windows\SysWOW64\PnkBstrA.exe ()
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (wlidsvc) -- C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE (Microsoft Corporation)
SRV - (ASLDRService) -- C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe (ASUS)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (ATKGFNEXSrv) -- C:\Programme\ATKGFNEX\GFNEXSrv.exe ()
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - (SymEvent) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS (Symantec Corporation)
DRV:64bit: - (SRTSP) -- C:\Windows\SysNative\drivers\NISx64\1402010.016\srtsp64.sys (Symantec Corporation)
DRV:64bit: - (SymEFA) -- C:\Windows\SysNative\drivers\NISx64\1402010.016\symefa64.sys (Symantec Corporation)
DRV:64bit: - (SymDS) -- C:\Windows\SysNative\drivers\NISx64\1402010.016\symds64.sys (Symantec Corporation)
DRV:64bit: - (SymNetS) -- C:\Windows\SysNative\drivers\NISx64\1402010.016\symnets.sys (Symantec Corporation)
DRV:64bit: - (SymIRON) -- C:\Windows\SysNative\drivers\NISx64\1402010.016\ironx64.sys (Symantec Corporation)
DRV:64bit: - (ATSwpWDF) -- C:\Windows\SysNative\drivers\ATSwpWDF.sys (AuthenTec, Inc.)
DRV:64bit: - (RdpVideoMiniport) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (ccSet_NIS) -- C:\Windows\SysNative\drivers\NISx64\1402010.016\ccsetx64.sys (Symantec Corporation)
DRV:64bit: - (SymIM) -- C:\Windows\SysNative\drivers\SymIMV.sys (Symantec Corporation)
DRV:64bit: - (SRTSPX) -- C:\Windows\SysNative\drivers\NISx64\1402010.016\srtspx64.sys (Symantec Corporation)
DRV:64bit: - (NVHDA) -- C:\Windows\SysNative\drivers\nvhda64v.sys (NVIDIA Corporation)
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (vpnva) -- C:\Windows\SysNative\drivers\vpnva64.sys (Cisco Systems, Inc.)
DRV:64bit: - (acsock) -- C:\Windows\SysNative\drivers\acsock64.sys (Cisco Systems, Inc.)
DRV:64bit: - (LMouFilt) -- C:\Windows\SysNative\drivers\LMouFilt.Sys (Logitech, Inc.)
DRV:64bit: - (LHidFilt) -- C:\Windows\SysNative\drivers\LHidFilt.Sys (Logitech, Inc.)
DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\drivers\Rt64win7.sys (Realtek                                            )
DRV:64bit: - (MEMSWEEP2) -- C:\Windows\SysNative\6E63.tmp (Sophos Plc)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (sdbus) -- C:\Windows\SysNative\drivers\sdbus.sys (Microsoft Corporation)
DRV:64bit: - (seehcri) -- C:\Windows\SysNative\drivers\seehcri.sys (Sony Ericsson Mobile Communications)
DRV:64bit: - (ggsemc) -- C:\Windows\SysNative\drivers\ggsemc.sys (Sony Ericsson Mobile Communications)
DRV:64bit: - (ggflt) -- C:\Windows\SysNative\drivers\ggflt.sys (Sony Ericsson Mobile Communications)
DRV:64bit: - (atksgt) -- C:\Windows\SysNative\drivers\atksgt.sys ()
DRV:64bit: - (lirsgt) -- C:\Windows\SysNative\drivers\lirsgt.sys ()
DRV:64bit: - (sptd) -- C:\Windows\SysNative\drivers\sptd.sys (Duplex Secure Ltd.)
DRV:64bit: - (LUsbFilt) -- C:\Windows\SysNative\drivers\LUsbFilt.sys (Logitech, Inc.)
DRV:64bit: - (USBMULCD) -- C:\Windows\SysNative\drivers\CM10664.sys (C-Media Electronics Inc)
DRV:64bit: - (NETw5s64) -- C:\Windows\SysNative\drivers\NETw5s64.sys (Intel Corporation)
DRV:64bit: - (xusb21) -- C:\Windows\SysNative\drivers\xusb21.sys (Microsoft Corporation)
DRV:64bit: - (SynTP) -- C:\Windows\SysNative\drivers\SynTP.sys (Synaptics Incorporated)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (AgereSoftModem) -- C:\Windows\SysNative\drivers\agrsm64.sys (LSI Corp)
DRV:64bit: - (netw5v64) -- C:\Windows\SysNative\drivers\netw5v64.sys (Intel Corporation)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (MTsensor) -- C:\Windows\SysNative\drivers\ATK64AMD.sys (ASUS)
DRV:64bit: - (itecir) -- C:\Windows\SysNative\drivers\itecir.sys (ITE Tech. Inc. )
DRV:64bit: - (bpenum) -- C:\Windows\SysNative\drivers\bpenum.sys (Intel Corporation)
DRV:64bit: - (rimmptsk) -- C:\Windows\SysNative\drivers\rimmpx64.sys (REDC)
DRV:64bit: - (kbfiltr) -- C:\Windows\SysNative\drivers\kbfiltr.sys ( )
DRV:64bit: - (ApfiltrService) -- C:\Windows\SysNative\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV:64bit: - (rismxdp) -- C:\Windows\SysNative\drivers\rixdpx64.sys (REDC)
DRV:64bit: - (rimsptsk) -- C:\Windows\SysNative\drivers\rimspx64.sys (REDC)
DRV - (NAVEX15) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.1.2\Definitions\VirusDefs\20130126.007\ex64.sys (Symantec Corporation)
DRV - (NAVENG) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.1.2\Definitions\VirusDefs\20130126.007\eng64.sys (Symantec Corporation)
DRV - (BHDrvx64) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.1.2\Definitions\BASHDefs\20130116.013\BHDrvx64.sys (Symantec Corporation)
DRV - (IDSVia64) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.1.2\Definitions\IPSDefs\20130124.001\IDSviA64.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (eeCtrl) -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys (Symantec Corporation)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.asus.com
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = 
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = 
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
 
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = 
 
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = 
 
IE - HKU\S-1-5-21-4015648632-354441547-1344828329-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.asus.com
IE - HKU\S-1-5-21-4015648632-354441547-1344828329-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.egofm.de/
IE - HKU\S-1-5-21-4015648632-354441547-1344828329-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-4015648632-354441547-1344828329-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKU\S-1-5-21-4015648632-354441547-1344828329-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D4 4E 13 3A FF 2C CB 01  [binary data]
IE - HKU\S-1-5-21-4015648632-354441547-1344828329-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-4015648632-354441547-1344828329-1000\..\SearchScopes,DefaultScope = 
IE - HKU\S-1-5-21-4015648632-354441547-1344828329-1000\..\SearchScopes\{00AF063F-2DA8-4118-9901-4DD71292FCE9}: "URL" = hxxp://www.google.de/search?q={searchTerms}
IE - HKU\S-1-5-21-4015648632-354441547-1344828329-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-4015648632-354441547-1344828329-1000\..\SearchScopes\{90D4F77D-1601-473E-993B-43882D17B2B5}: "URL" = hxxp://de.wikipedia.org/wiki/Spezial:Search?search={searchTerms}
IE - HKU\S-1-5-21-4015648632-354441547-1344828329-1000\..\SearchScopes\{F193B729-0F76-418D-B8A7-7E3289D86B7D}: "URL" = hxxp://de.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&type=302398&p={searchTerms}
IE - HKU\S-1-5-21-4015648632-354441547-1344828329-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-21-4015648632-354441547-1344828329-1009\..\SearchScopes,DefaultScope = 
 
========== FireFox ==========
 
FF - prefs.js..browser.search.defaultenginename: ""
FF - prefs.js..browser.search.defaultenginename,S: S", ""
FF - prefs.js..browser.search.defaultthis.engineName: ""
FF - prefs.js..browser.search.defaulturl: ""
FF - prefs.js..browser.search.order.1: ""
FF - prefs.js..browser.search.order.1,S: S", ""
FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=302398"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.selectedEngine,S: S", ""
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "about:home"
FF - prefs.js..extensions.enabledAddons: ich%40maltegoetz.de:1.4.3
FF - prefs.js..extensions.enabledAddons: firefox%40ghostery.com:2.8.4
FF - prefs.js..extensions.enabledAddons: %7B73a6fe31-595d-460b-a920-fcc0f8843232%7D:2.6.4.3
FF - prefs.js..extensions.enabledAddons: https-everywhere%40eff.org:3.1.3
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:18.0.1
FF - prefs.js..extensions.enabledItems: {E6C1199F-E687-42da-8C24-E7770CC3AE66}:1.7.2
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {23fcfd51-4958-4f00-80a3-ae97e717ed8b}:2.1.1.94
FF - prefs.js..extensions.enabledItems: {6904342A-8307-11DF-A508-4AE2DFD72085}:2.1.1.94
FF - prefs.js..network.proxy.http: "109.94.240.35"
FF - prefs.js..network.proxy.http_port: 3128
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found
 
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_5_502_146.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.10.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.10.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.11.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.5: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.1.2\coFFPlgn\ [2013.01.27 01:19:46 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\html5video [2011.03.21 21:48:24 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\wpa [2011.03.21 21:48:24 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.1.2\IPSFFPlgn\ [2012.12.09 14:48:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013.01.20 03:50:37 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2013.01.20 03:50:34 | 000,000,000 | ---D | M]
 
[2010.07.26 23:50:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Extensions
[2013.01.21 22:47:02 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\iydsqpdv.default\extensions
[2013.01.21 22:47:02 | 000,000,000 | ---D | M] (SaveByclick) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\iydsqpdv.default\extensions\50fdb67008997@50fdb670089ac.com
[2013.01.09 13:04:23 | 000,000,000 | ---D | M] (Ghostery) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\iydsqpdv.default\extensions\firefox@ghostery.com
[2013.01.21 22:47:01 | 000,000,000 | ---D | M] (HTTPS-Everywhere) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\iydsqpdv.default\extensions\https-everywhere@eff.org
[2012.09.29 00:41:50 | 000,000,000 | ---D | M] (ProxTube - Unblock YouTube) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\iydsqpdv.default\extensions\ich@maltegoetz.de
[2013.01.16 21:00:28 | 000,389,447 | ---- | M] () (No name found) -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\iydsqpdv.default\extensions\jid1-F9UJ2thwoAm5gQ@jetpack.xpi
[2013.01.21 22:46:59 | 000,533,221 | ---- | M] () (No name found) -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\iydsqpdv.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
[2012.12.08 21:58:53 | 001,268,546 | ---- | M] () (No name found) -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\iydsqpdv.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}.xpi
[2012.05.25 23:13:20 | 000,010,316 | ---- | M] () -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\iydsqpdv.default\searchplugins\duckduckgo.xml
[2010.11.18 15:37:31 | 000,001,997 | ---- | M] () -- C:\Users\***\AppData\Roaming\mozilla\firefox\profiles\iydsqpdv.default\searchplugins\wolframalpha.xml
[2013.01.20 03:50:34 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions
[2013.01.20 03:50:34 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files (x86)\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2013.01.20 03:50:37 | 000,262,552 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012.02.04 15:35:00 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.08.31 10:13:42 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012.02.04 15:35:00 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml
[2012.02.04 15:35:00 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.02.04 15:35:00 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.02.04 15:35:00 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml
 
========== Chrome  ==========
 
CHR - Extension: SaveByclick = C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Extensions\ebnbjphlnnamdhenkaackhonngkahiap\1\
 
O1 HOSTS File: ([2012.11.27 14:25:48 | 000,000,938 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2:64bit: - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
O2 - BHO: (DivX HiQ) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\20.2.1.22\coIEPlg.dll (Symantec Corporation)
O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\20.2.1.22\IPS\IPSBHO.DLL (Symantec Corporation)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (SaveByclick) - {A71096B6-BE43-EA8B-9AF5-B947D5EB4193} - C:\ProgramData\SaveByclick\50fdb67008b05.dll File not found
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\20.2.1.22\coIEPlg.dll (Symantec Corporation)
O4:64bit: - HKLM..\Run: []  File not found
O4:64bit: - HKLM..\Run: [Cm106Sound] C:\Windows\Syswow64\cm106.dll (C-Media Corporation)
O4:64bit: - HKLM..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
O4 - HKLM..\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe (ASUS)
O4 - HKLM..\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe (ASUS)
O4 - HKLM..\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe (ASUS)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-21-4015648632-354441547-1344828329-1009..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8:64bit: - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 File not found
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000008 [] - C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000009 [] - C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-4015648632-354441547-1344828329-1000\..Trusted Domains: clonewarsadventures.com ([]* in Vertrauenswürdige Sites)
O15 - HKU\S-1-5-21-4015648632-354441547-1344828329-1000\..Trusted Domains: freerealms.com ([]* in Vertrauenswürdige Sites)
O15 - HKU\S-1-5-21-4015648632-354441547-1344828329-1000\..Trusted Domains: fritz.box ([]* in Lokales Intranet)
O15 - HKU\S-1-5-21-4015648632-354441547-1344828329-1000\..Trusted Domains: soe.com ([]* in Vertrauenswürdige Sites)
O15 - HKU\S-1-5-21-4015648632-354441547-1344828329-1000\..Trusted Domains: sony.com ([]* in Vertrauenswürdige Sites)
O15 - HKU\S-1-5-21-4015648632-354441547-1344828329-1000\..Trusted Ranges: Range1 ([*] in Lokales Intranet)
O16:64bit: - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Reg Error: Value error.)
O16:64bit: - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 10.10.2)
O16:64bit: - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab (Reg Error: Key error.)
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} hxxp://support.asus.de/common/asusTek_sys_ctrl.cab (asusTek_sysctrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} Reg Error: Value error. (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} Reg Error: Value error. (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 10.10.2)
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} Reg Error: Value error. (SysInfo Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B641F478-C481-4588-9D30-880E62B0E3A5}: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D84773E1-7A83-40DB-9AAA-E32943FFDCAC}: DhcpNameServer = 192.168.178.1
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18:64bit: - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (c:\progra~2\saveby~1\sprote~1.dll) -  File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\LBTWlgn: DllName - (c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll) - c:\Programme\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O20 - Winlogon\Notify\LBTWlgn: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013.01.26 22:32:03 | 000,000,000 | ---D | C] -- C:\Users\***\Desktop\mbar
[2013.01.25 17:23:00 | 004,732,416 | ---- | C] (AVAST Software) -- C:\Users\***\Desktop\aswmbr.exe
[2013.01.22 20:59:49 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\***\Desktop\OTL.exe
[2013.01.21 22:49:07 | 000,000,000 | ---D | C] -- C:\ProgramData\PDF Architect
[2013.01.21 22:47:41 | 000,000,000 | ---D | C] -- C:\Users\***\AppData\Roaming\PDF Architect
[2013.01.21 22:46:54 | 000,000,000 | ---D | C] -- C:\ProgramData\CLSoft LTD
[2013.01.21 22:46:46 | 000,000,000 | ---D | C] -- C:\ProgramData\BetterSoft
[2013.01.21 22:45:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDFCreator
[2013.01.21 22:45:40 | 000,662,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSCOMCT2.OCX
[2013.01.21 22:45:40 | 000,137,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSMAPI32.OCX
[2013.01.21 22:45:40 | 000,103,936 | ---- | C] (pdfforge GbR) -- C:\Windows\SysNative\pdfcmon.dll
[2013.01.21 22:45:39 | 000,158,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSCMCDE.DLL
[2013.01.21 22:45:39 | 000,125,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\VB6DE.DLL
[2013.01.21 22:45:39 | 000,064,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSCC2DE.DLL
[2013.01.21 22:45:39 | 000,023,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSMPIDE.DLL
[2013.01.21 00:06:29 | 000,174,496 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe
[2013.01.21 00:06:29 | 000,174,496 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe
[2013.01.21 00:06:29 | 000,095,648 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
[2013.01.20 03:50:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
[2013.01.09 19:41:28 | 000,015,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\RdpGroupPolicyExtension.dll
[2013.01.09 19:41:28 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\TsUsbRedirectionGroupPolicyExtension.dll
[2013.01.09 19:41:28 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\TsUsbRedirectionGroupPolicyControl.exe
[2013.01.09 19:41:27 | 000,057,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys
[2013.01.09 19:41:27 | 000,019,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys
[2013.01.09 19:41:26 | 003,174,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rdpcorets.dll
[2013.01.09 19:41:26 | 001,123,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mstsc.exe
[2013.01.09 19:41:26 | 001,048,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mstsc.exe
[2013.01.09 19:41:26 | 000,384,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wksprt.exe
[2013.01.09 19:41:26 | 000,322,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\aaclient.dll
[2013.01.09 19:41:26 | 000,269,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\aaclient.dll
[2013.01.09 19:41:26 | 000,243,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rdpudd.dll
[2013.01.09 19:41:26 | 000,228,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rdpendp_winip.dll
[2013.01.09 19:41:26 | 000,192,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\rdpendp_winip.dll
[2013.01.09 19:41:26 | 000,062,976 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\TSWbPrxy.exe
[2013.01.09 19:41:26 | 000,054,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\MsRdpWebAccess.dll
[2013.01.09 19:41:26 | 000,046,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MsRdpWebAccess.dll
[2013.01.09 19:41:26 | 000,044,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\tsgqec.dll
[2013.01.09 19:41:26 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\TsUsbGDCoInstaller.dll
[2013.01.09 19:41:26 | 000,037,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\tsgqec.dll
[2013.01.09 19:41:26 | 000,018,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wksprtPS.dll
[2013.01.09 19:41:26 | 000,016,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wksprtPS.dll
[2013.01.09 19:41:25 | 005,773,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mstscax.dll
[2013.01.09 19:41:25 | 004,916,224 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mstscax.dll
[2013.01.09 19:17:44 | 000,750,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\win32spl.dll
[2013.01.09 19:17:44 | 000,492,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\win32spl.dll
[2013.01.09 19:17:28 | 000,307,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ncrypt.dll
[2013.01.09 19:17:25 | 000,800,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\usp10.dll
[2013.01.09 19:17:17 | 000,045,568 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\oflc-nz.rs
[2013.01.09 19:17:17 | 000,045,568 | ---- | C] (Microsoft) -- C:\Windows\SysNative\oflc-nz.rs
[2013.01.09 19:17:17 | 000,043,520 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\csrr.rs
[2013.01.09 19:17:17 | 000,043,520 | ---- | C] (Microsoft) -- C:\Windows\SysNative\csrr.rs
[2013.01.09 19:17:16 | 002,746,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\gameux.dll
[2013.01.09 19:17:16 | 002,576,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\gameux.dll
[2013.01.09 19:17:16 | 000,441,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\Wpc.dll
[2013.01.09 19:17:16 | 000,308,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\Wpc.dll
[2013.01.09 19:17:16 | 000,055,296 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\cero.rs
[2013.01.09 19:17:16 | 000,055,296 | ---- | C] (Microsoft) -- C:\Windows\SysNative\cero.rs
[2013.01.09 19:17:16 | 000,051,712 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\esrb.rs
[2013.01.09 19:17:16 | 000,051,712 | ---- | C] (Microsoft) -- C:\Windows\SysNative\esrb.rs
[2013.01.09 19:17:16 | 000,046,592 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\fpb.rs
[2013.01.09 19:17:16 | 000,046,592 | ---- | C] (Microsoft) -- C:\Windows\SysNative\fpb.rs
[2013.01.09 19:17:16 | 000,044,544 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\pegibbfc.rs
[2013.01.09 19:17:16 | 000,044,544 | ---- | C] (Microsoft) -- C:\Windows\SysNative\pegibbfc.rs
[2013.01.09 19:17:16 | 000,040,960 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\cob-au.rs
[2013.01.09 19:17:16 | 000,040,960 | ---- | C] (Microsoft) -- C:\Windows\SysNative\cob-au.rs
[2013.01.09 19:17:16 | 000,030,720 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\usk.rs
[2013.01.09 19:17:16 | 000,030,720 | ---- | C] (Microsoft) -- C:\Windows\SysNative\usk.rs
[2013.01.09 19:17:16 | 000,023,552 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\oflc.rs
[2013.01.09 19:17:16 | 000,023,552 | ---- | C] (Microsoft) -- C:\Windows\SysNative\oflc.rs
[2013.01.09 19:17:16 | 000,021,504 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\grb.rs
[2013.01.09 19:17:16 | 000,021,504 | ---- | C] (Microsoft) -- C:\Windows\SysNative\grb.rs
[2013.01.09 19:17:16 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\pegi-pt.rs
[2013.01.09 19:17:16 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysNative\pegi-pt.rs
[2013.01.09 19:17:16 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\pegi-fi.rs
[2013.01.09 19:17:16 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysNative\pegi-fi.rs
[2013.01.09 19:17:16 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\pegi.rs
[2013.01.09 19:17:16 | 000,020,480 | ---- | C] (Microsoft) -- C:\Windows\SysNative\pegi.rs
[2013.01.09 19:17:16 | 000,015,360 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\djctq.rs
[2013.01.09 19:17:16 | 000,015,360 | ---- | C] (Microsoft) -- C:\Windows\SysNative\djctq.rs
[2013.01.09 19:16:43 | 001,161,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\kernel32.dll
[2013.01.09 19:16:43 | 000,424,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\KernelBase.dll
[2013.01.09 19:16:42 | 000,362,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64win.dll
[2013.01.09 19:16:42 | 000,338,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\conhost.exe
[2013.01.09 19:16:42 | 000,243,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64.dll
[2013.01.09 19:16:42 | 000,215,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winsrv.dll
[2013.01.09 19:16:42 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\setup16.exe
[2013.01.09 19:16:42 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntvdm64.dll
[2013.01.09 19:16:42 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntvdm64.dll
[2013.01.09 19:16:42 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64cpu.dll
[2013.01.09 19:16:42 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\instnm.exe
[2013.01.09 19:16:42 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
[2013.01.09 19:16:42 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-security-base-l1-1-0.dll
[2013.01.09 19:16:42 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
[2013.01.09 19:16:42 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-file-l1-1-0.dll
[2013.01.09 19:16:42 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wow32.dll
[2013.01.09 19:16:42 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
[2013.01.09 19:16:42 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-threadpool-l1-1-0.dll
[2013.01.09 19:16:42 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
[2013.01.09 19:16:42 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processthreads-l1-1-0.dll
[2013.01.09 19:16:42 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
[2013.01.09 19:16:42 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-sysinfo-l1-1-0.dll
[2013.01.09 19:16:42 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
[2013.01.09 19:16:42 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-synch-l1-1-0.dll
[2013.01.09 19:16:42 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
[2013.01.09 19:16:42 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
[2013.01.09 19:16:42 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localregistry-l1-1-0.dll
[2013.01.09 19:16:42 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
[2013.01.09 19:16:42 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localization-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-rtlsupport-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processenvironment-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-namedpipe-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-misc-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-memory-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-libraryloader-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-heap-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-xstate-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-util-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-string-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-profile-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-io-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-interlocked-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-handle-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-fibers-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-errorhandling-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-delayload-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-debug-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-datetime-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-console-l1-1-0.dll
[2013.01.09 19:16:42 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-console-l1-1-0.dll
[2013.01.09 19:16:41 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\user.exe
[2013.01.09 19:16:28 | 000,068,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\taskhost.exe
[2013.01.03 00:45:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
[5 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013.01.27 01:25:17 | 000,013,248 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013.01.27 01:25:17 | 000,013,248 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013.01.27 01:18:22 | 000,001,108 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013.01.27 01:18:22 | 000,000,392 | -H-- | M] () -- C:\Windows\tasks\{41E1BF5C-C1B6-47E4-9892-C36F01B80AC1}.job
[2013.01.27 01:17:54 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013.01.27 01:17:50 | 3220,525,056 | -HS- | M] () -- C:\hiberfil.sys
[2013.01.27 00:44:24 | 000,578,255 | ---- | M] () -- C:\Users\***\Desktop\adwcleaner.exe
[2013.01.27 00:17:00 | 000,001,112 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013.01.26 22:45:47 | 000,044,564 | ---- | M] () -- C:\Users\***\Desktop\MBAR Screenshot.JPG
[2013.01.25 17:29:54 | 000,000,512 | ---- | M] () -- C:\Users\***\Desktop\MBR.dat
[2013.01.25 17:23:00 | 004,732,416 | ---- | M] (AVAST Software) -- C:\Users\***\Desktop\aswmbr.exe
[2013.01.25 16:04:49 | 000,365,568 | ---- | M] () -- C:\Users\***\Desktop\gmer-2.0.18444.exe
[2013.01.24 12:42:55 | 001,507,566 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013.01.24 12:42:55 | 000,657,948 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
[2013.01.24 12:42:55 | 000,619,184 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013.01.24 12:42:55 | 000,131,288 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
[2013.01.24 12:42:55 | 000,107,504 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013.01.24 12:05:37 | 000,012,196 | ---- | M] () -- C:\Users\***\Documents\Brief Kopfzeile Standart.dotx
[2013.01.24 10:36:37 | 002,188,701 | ---- | M] () -- C:\Windows\SysNative\drivers\NISx64\1402010.016\Cat.DB
[2013.01.24 10:35:54 | 000,014,818 | ---- | M] () -- C:\Windows\SysNative\drivers\NISx64\1402010.016\VT20130115.021
[2013.01.22 20:59:55 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\***\Desktop\OTL.exe
[2013.01.22 20:56:19 | 000,000,020 | ---- | M] () -- C:\Users\***\defogger_reenable
[2013.01.22 20:55:12 | 000,050,477 | ---- | M] () -- C:\Users\***\Desktop\Defogger.exe
[2013.01.21 22:37:40 | 000,001,702 | ---- | M] () -- C:\Windows\Cm106.ini.imi
[2013.01.13 01:56:46 | 000,007,651 | ---- | M] () -- C:\Users\***\AppData\Local\Resmon.ResmonCfg
[2013.01.12 03:30:18 | 000,095,648 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
[2013.01.12 03:26:16 | 000,174,496 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe
[2013.01.12 03:24:49 | 000,174,496 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe
[2013.01.11 12:08:49 | 000,697,864 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2013.01.11 12:08:49 | 000,074,248 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2013.01.11 11:39:42 | 000,103,936 | ---- | M] (pdfforge GbR) -- C:\Windows\SysNative\pdfcmon.dll
[2013.01.10 12:41:13 | 000,000,466 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2013.01.10 08:44:09 | 000,000,172 | ---- | M] () -- C:\Windows\SysNative\drivers\NISx64\1402010.016\isolate.ini
[2013.01.09 20:19:03 | 000,412,936 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2013.01.07 13:27:27 | 129,568,298 | ---- | M] () -- C:\Users\***\Documents\PDFCreator.DMP
[5 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013.01.27 00:44:20 | 000,578,255 | ---- | C] () -- C:\Users\***\Desktop\adwcleaner.exe
[2013.01.26 22:45:47 | 000,044,564 | ---- | C] () -- C:\Users\***\Desktop\MBAR Screenshot.JPG
[2013.01.25 17:29:54 | 000,000,512 | ---- | C] () -- C:\Users\***\Desktop\MBR.dat
[2013.01.25 16:04:49 | 000,365,568 | ---- | C] () -- C:\Users\***\Desktop\gmer-2.0.18444.exe
[2013.01.24 12:05:37 | 000,012,196 | ---- | C] () -- C:\Users\***\Documents\Brief Kopfzeile Standart.dotx
[2013.01.22 20:56:19 | 000,000,020 | ---- | C] () -- C:\Users\***\defogger_reenable
[2013.01.22 20:55:11 | 000,050,477 | ---- | C] () -- C:\Users\***\Desktop\Defogger.exe
[2013.01.21 22:46:47 | 000,000,392 | -H-- | C] () -- C:\Windows\tasks\{41E1BF5C-C1B6-47E4-9892-C36F01B80AC1}.job
[2013.01.07 13:27:20 | 129,568,298 | ---- | C] () -- C:\Users\***\Documents\PDFCreator.DMP
[2012.12.26 18:29:00 | 000,002,598 | ---- | C] () -- C:\Users\***\Test.pfx
[2012.12.20 17:26:16 | 001,527,912 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012.10.30 21:11:37 | 006,127,464 | ---- | C] () -- C:\Windows\SysWow64\nvopencl.dll
[2012.08.02 17:34:21 | 000,000,026 | ---- | C] () -- C:\Windows\Irremote.ini
[2012.05.15 01:21:50 | 000,423,744 | ---- | C] () -- C:\Windows\SysWow64\nvStreaming.exe
[2012.04.28 20:15:01 | 000,060,304 | ---- | C] () -- C:\Users\***\g2mdlhlpx.exe
[2012.03.14 14:07:29 | 000,003,059 | ---- | C] () -- C:\Windows\Cm106.ini.cfg
[2012.02.28 02:05:45 | 000,000,218 | ---- | C] () -- C:\Users\***\AppData\Local\recently-used.xbel
[2011.09.28 16:44:14 | 000,179,271 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2011.03.08 22:06:06 | 000,000,678 | ---- | C] () -- C:\Users\***\.jmf-resource
[2010.10.20 17:56:49 | 000,007,680 | ---- | C] () -- C:\Users\***\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.07.29 17:19:00 | 000,007,651 | ---- | C] () -- C:\Users\***\AppData\Local\Resmon.ResmonCfg
[2010.07.27 14:56:56 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010.07.26 22:56:37 | 000,000,466 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2010.07.25 04:06:39 | 000,001,024 | ---- | C] () -- C:\Users\***\.rnd
 
========== ZeroAccess Check ==========
 
[2009.07.14 05:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012.06.09 06:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 05:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 02:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.20 13:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 02:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

< End of report >

cosinus · 27.01.2013, 13:24

Fixen mit OTL

Starte bitte die OTL.exe.
Kopiere nun den Inhalt aus der Codebox in die Textbox.

Code:

ATTFilter

:OTL
O4:64bit: - HKLM..\Run: []  File not found
O20 - AppInit_DLLs: (c:\progra~2\saveby~1\sprote~1.dll) -  File not found
:Files
ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[resethosts]

Solltest du deinen Benutzernamen z. B. durch "*****" unkenntlich gemacht haben, so füge an entsprechender Stelle deinen richtigen Benutzernamen ein. Andernfalls wird der Fix nicht funktionieren.
Schließe bitte nun alle Programme.
Klicke nun bitte auf den Fix Button.
OTL kann gegebenfalls einen Neustart verlangen. Bitte dies zulassen.
Nach dem Neustart findest Du ein Textdokument auf deinem Desktop.
( Auch zu finden unter C:\_OTL\MovedFiles\<Uhrzeit_Datum>.txt)
Kopiere nun den Inhalt hier in Deinen Thread

Sensor · 27.01.2013, 14:18

Das Textdoc nach dem Neustart.

Code:

ATTFilter

All processes killed
========== OTL ==========
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\progra~2\saveby~1\sprote~1.dll deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows-IP-Konfiguration
Der DNS-Aufl”sungscache wurde geleert.
C:\Users\***\Desktop\cmd.bat deleted successfully.
C:\Users\***\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 836573 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: ***
->Temp folder emptied: 3493 bytes
->Temporary Internet Files folder emptied: 105200018 bytes
->Java cache emptied: 5666274 bytes
->FireFox cache emptied: 420713295 bytes
->Flash cache emptied: 6285 bytes
 
User: ***1
->Temp folder emptied: 151327557 bytes
->Temporary Internet Files folder emptied: 248689983 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 46292494 bytes
->Flash cache emptied: 5247 bytes
 
User: Public
 
User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 757760 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 12288 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 216603 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67832 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 749 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 935,00 mb
 
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
 
OTL by OldTimer - Version 3.2.69.0 log created on 01272013_140712

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

26.01.2013, 23:18	#8
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Malwarebytes Anti-Maleware findet 1 infiziert Objekt stürtz aber beim Scannen ab + Superfish.com im FF NoScript Add-on Klick bitte auf NEIN __________________ Logfiles bitte immer in CODE-Tags posten

Malwarebytes Anti-Maleware findet 1 infiziert Objekt stürtz aber beim Scannen ab + Superfish.com im FF NoScript Add-on

Log-Analyse und Auswertung: Malwarebytes Anti-Maleware findet 1 infiziert Objekt stürtz aber beim Scannen ab + Superfish.com im FF NoScript Add-on